Debian DSA-4130-1 : dovecot - security update

Medium Nessus Plugin ID 107122


The remote Debian host is missing a security-related update.


Several vulnerabilities have been discovered in the Dovecot email server. The Common Vulnerabilities and Exposures project identifies the following issues :

- CVE-2017-14461 Aleksandar Nikolic of Cisco Talos and 'flxflndy' discovered that Dovecot does not properly parse invalid email addresses, which may cause a crash or leak memory contents to an attacker.

- CVE-2017-15130 It was discovered that TLS SNI config lookups may lead to excessive memory usage, causing imap-login/pop3-login VSZ limit to be reached and the process restarted, resulting in a denial of service. Only Dovecot configurations containing local_name { } or local { } configuration blocks are affected.

- CVE-2017-15132 It was discovered that Dovecot contains a memory leak flaw in the login process on aborted SASL authentication.


Upgrade the dovecot packages.

For the oldstable distribution (jessie), these problems have been fixed in version 1:2.2.13-12~deb8u4.

For the stable distribution (stretch), these problems have been fixed in version 1:2.2.27-3+deb9u2.

See Also

Plugin Details

Severity: Medium

ID: 107122

File Name: debian_DSA-4130.nasl

Version: $Revision: 3.1 $

Type: local

Agent: unix

Published: 2018/03/05

Modified: 2018/03/05

Dependencies: 12634

Risk Information

Risk Factor: Medium


Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P


Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:dovecot, cpe:/o:debian:debian_linux:8.0, cpe:/o:debian:debian_linux:9.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 2018/03/02

Reference Information

CVE: CVE-2017-14461, CVE-2017-15130, CVE-2017-15132

DSA: 4130