CVE-2015-3420

Timo Sirainen tss at iki.fi
Tue Apr 28 11:26:14 UTC 2015


On 28 Apr 2015, at 11:43, Marc Schiffbauer <m at sys4.de> wrote:
> 
> * Timo Sirainen schrieb am 28.04.15 um 11:35 Uhr:
>> On 28 Apr 2015, at 11:35, Timo Sirainen <tss at iki.fi> wrote:
>>> 
>>> On 28 Apr 2015, at 04:15, Edwardo Garcia <wdgarc88 at gmail.com> wrote:
>>>> When can we expect 2.2.17 to resolve this?
>>> 
>>> As far as I know this doesn't affect any of the major distributions where Dovecot is commonly used (Debian/Ubuntu/Redhat/CentOS). I've only heard it happening with some self-compiled OpenSSL versions (Arch/Gentoo?), so I don't see this as especially critical issue. But I'm planning on v2.2.17 release sometimes soon anyway for other reasons.
>> 
>> Oh, forgot to post also the committed patch fixing this: http://hg.dovecot.org/dovecot-2.2/rev/86f535375750
> 
> Hi Timo,
> 
> does this affect 2.2.16 *only*?

The code has been there v2.2.14 - v2.2.16. I'm not sure if it could have affected older versions also in some way.



More information about the dovecot mailing list