CVE-2015-3420
Timo Sirainen
tss at iki.fi
Tue Apr 28 19:07:17 UTC 2015
Timo Sirainen <tss at iki.fi> kirjoitti 28.4.2015 kello 11.35:
>
>> On 28 Apr 2015, at 04:15, Edwardo Garcia <wdgarc88 at gmail.com> wrote:
>> When can we expect 2.2.17 to resolve this?
>
> As far as I know this doesn't affect any of the major distributions where Dovecot is commonly used (Debian/Ubuntu/Redhat/CentOS). I've only heard it happening with some self-compiled OpenSSL versions (Arch/Gentoo?), so I don't see this as especially critical issue. But I'm planning on v2.2.17 release sometimes soon anyway for other reasons.
BTW. I wonder why the bug is officially in Dovecot when it was OpenSSL's new version that started causing the crash.. I wonder how many other software breaks with new OpenSSL.
More information about the dovecot
mailing list