CVE-2015-3420

Edwardo Garcia wdgarc88 at gmail.com
Tue Apr 28 11:34:38 UTC 2015


On 4/28/15, Timo Sirainen <tss at iki.fi> wrote:
> On 28 Apr 2015, at 11:35, Timo Sirainen <tss at iki.fi> wrote:
>>
>> On 28 Apr 2015, at 04:15, Edwardo Garcia <wdgarc88 at gmail.com> wrote:
>>> When can we expect 2.2.17 to resolve this?
>>
>> As far as I know this doesn't affect any of the major distributions where
>> Dovecot is commonly used (Debian/Ubuntu/Redhat/CentOS). I've only heard i

Most of those distributions are way outdate version anyway, if they
were not maybe problem be seen too

>> happening with some self-compiled OpenSSL versions (Arch/Gentoo?), so I
>> don't see this as especially critical issue. But I'm planning on v2.2.17
>> release sometimes soon anyway for other reasons.
>
> Oh, forgot to post also the committed patch fixing this:
> http://hg.dovecot.org/dovecot-2.2/rev/86f535375750
>

Thank you, with couple million users we can not afford take chance, so
will apply patch this morning on all servers.


More information about the dovecot mailing list