Alpine: multiple dovecot packages: security update to 2.3.1-r0

high Tenable Cloud Security Plugin ID 423860

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- A specially crafted email delivered over SMTP and passed on to Dovecot by MTA can trigger an out of bounds
read resulting in potential sensitive information disclosure and denial of service. In order to trigger
this vulnerability, an attacker needs to send a specially crafted email message to the server.
(CVE-2017-14461)

- A denial of service flaw was found in dovecot before 2.2.34. An attacker able to generate random SNI
server names could exploit TLS SNI configuration lookups, leading to excessive memory usage and the
process to restart. (CVE-2017-15130)

- A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL authentication results in a
memory leak in dovecot's auth client used by login processes. The leak has impact in high performance
configuration where same login processes are reused and can cause the process to crash due to memory
exhaustion. (CVE-2017-15132)

Plugin Details

Severity: High

ID: 423860

Version: Revision 1.7

Type: Local

Family: Alpine Linux Local Security Checks

Published: 4/4/2025

Updated: 5/30/2025

Supported Sensors: Agentless Assessment

Risk Information

VPR

Risk Factor: Medium

Score: 4.2

CVSS v2

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:P

CVSS Score Source: CVE-2017-14461

CVSS v3

Risk Factor: High

Base Score: 7.1

Temporal Score: 6.2

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 1/25/2018

Reference Information

CVE: CVE-2017-14461, CVE-2017-15130, CVE-2017-15132

BID: 103201

Detections

Analytics