Fedora 26 : 1:dovecot (2017-e8b639c286)

high Nessus Plugin ID 101742



The remote Fedora host is missing a security update.


+ quota: Add plugin { quota_max_mail_size } setting to limit the maximum individual mail size that can be saved.

+ imapc: Add imapc_features=delay-login. If set, connecting to the remote IMAP server isn't done until it's necessary.

+ imapc: Add imapc_connection_retry_count and imapc_connection_retry_interval settings.

+ imap, pop3, indexer-worker: Add (deinit) to process title before autoexpunging runs.

+ Added %{encrypt} and %{decrypt} variables

+ imap/pop3 proxy: Log proxy state in errors as human-readable string.

+ imap/pop3-login: All forward_* extra fields returned by passdb are sent to the next hop when proxying using ID/XCLIENT commands. On the receiving side these fields are imported and sent to auth process where they're accessible via %{passdb:forward_*}. This is done only if the sending IP address matches login_trusted_networks.

+ imap-login: If imap_id_retain=yes, send the IMAP ID string to auth process. %{client_id} expands to it in auth process. The ID string is also sent to the next hop when proxying.

+ passdb imap: Use ssl_client_ca_* settings for CA validation.

- fts-tika: Fixed crash when parsing attachment without Content-Disposition header. Broken by 2.2.28.

- trash plugin was broken in 2.2.28

- auth: When passdb/userdb lookups were done via auth-workers, too much data was added to auth cache.
This could have resulted in wrong replies when using multiple passdbs/userdbs.

- auth: passdb { skip & mechanisms } were ignored for the first passdb

- oauth2: Various fixes, including fixes to crashes

- dsync: Large Sieve scripts (or other large metadata) weren't always synced.

- Index rebuild (e.g. doveadm force-resync) set all mails as \Recent

- imap-hibernate: %{userdb:*} wasn't expanded in mail_log_prefix

- doveadm: Exit codes weren't preserved when proxying commands via doveadm-server. Almost all errors used exit code 75 (tempfail).

- ACLs weren't applied to not-yet-existing autocreated mailboxes.

- Fixed a potential crash when parsing a broken message header.

- cassandra: Fallback consistency settings weren't working correctly.

- doveadm director status <user>: 'Initial config' was always empty

- imapc: Various reconnection fixes.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.


Update the affected 1:dovecot package.

See Also


Plugin Details

Severity: High

ID: 101742

File Name: fedora_2017-e8b639c286.nasl

Version: 3.6

Type: local

Agent: unix

Published: 7/17/2017

Updated: 1/6/2021

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Nessus Agent

Risk Information


Risk Factor: Low

Score: 3.6


Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P


Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:1:dovecot, cpe:/o:fedoraproject:fedora:26

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Patch Publication Date: 4/27/2017

Vulnerability Publication Date: 6/21/2018

Reference Information

CVE: CVE-2017-2669