openSUSE Security Update : dovecot22 (openSUSE-2017-787)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

This update for dovecot22 to version 2.2.30.2 fixes the following
issues :

This security issue was fixed :

- CVE-2017-2669: Don't double-expand %variables in keys.
If dict was used as the authentication passdb, using
specially crafted %variables in the username could be
used to cause DoS (bsc#1032248)

Additionally stronger SSL default ciphers are now used.

This non-security issue was fixed :

- Remove all references /etc/ssl/certs/. It should not be
used anymore (bsc#932386)

The version 2.2.30.2 also includes many fixes and enhancements :

- Multiple failed authentications within short time caused
crashes.

- Use timing safe comparisons for everything related to
passwords.

- Master process now sends SIGQUIT to all running children
at shutdown, which instructs them to close all the
socket listeners immediately. Restarting Dovecot should
no longer fail due to some processes keeping the
listeners open for a long time.

- Add passdb { mechanisms=none } to match separate passdb
lookup.

- Add passdb { username_filter } to use passdb only if
user matches the filter.

- Add dsync_commit_msgs_interval setting. It attempts to
commit the transaction after saving this many new
messages.

- Support imapc_features=search without ESEARCH extension.

- Add imapc_features=fetch-bodystructure to pass through
remote server's FETCH BODY and BODYSTRUCTURE.

- Add quota=imapc backend to use GETQUOTA/GETQUOTAROOT on
the remote server.

- Add allow_invalid_cert and ssl_ca_file parameters.

- If dovecot.index.cache corruption is detected, reset
only the one corrupted mail instead of the whole file.

- Add 'firstsaved' field to doveadm mailbox status.

- Add old host's up/down and vhost count as parameters to
director_flush_socket.

- More fixes to automatically fix corruption in
dovecot.list.index.

- Fix support for dsync_features=empty-header-workaround.

- IMAP NOTIFY wasn't working for non-INBOX if IMAP client
hadn't enabled modseq tracking via CONDSTORE/QRESYNC.

- Fix fts-lucene it to work again with mbox format.

- Some internal error messages may have contained garbage
in v2.2.29.

- Re-encrypt when copying/moving mails and per-mailbox
keys are used, otherwise the copied mails can't be
opened.

This update was imported from the SUSE:SLE-12:Update update project.

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=1032248
https://bugzilla.opensuse.org/show_bug.cgi?id=854512
https://bugzilla.opensuse.org/show_bug.cgi?id=932386

Solution :

Update the affected dovecot22 packages.

Risk factor :

Medium

Family: SuSE Local Security Checks

Nessus Plugin ID: 101284 ()

Bugtraq ID:

CVE ID: CVE-2017-2669

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now