Ubuntu 16.04 LTS / 16.10 : dovecot regression (USN-3258-2)

High Nessus Plugin ID 99303


The remote Ubuntu host is missing a security-related patch.


USN-3258-1 intended to fix a vulnerability in Dovecot. Further investigation revealed that only Dovecot versions 2.2.26 and newer were affected by the vulnerability. Additionally, the change introduced a regression when Dovecot was configured to use the 'dict' authentication database. This update reverts the change. We apologize for the inconvenience.

It was discovered that Dovecot incorrectly handled some usernames. An attacker could possibly use this issue to cause Dovecot to hang or crash, resulting in a denial of service.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.


Update the affected dovecot-core package.

Plugin Details

Severity: High

ID: 99303

File Name: ubuntu_USN-3258-2.nasl

Version: $Revision: 3.3 $

Type: local

Agent: unix

Published: 2017/04/12

Modified: 2017/08/16

Dependencies: 12634

Risk Information

Risk Factor: High


Base Score: 7.8

Temporal Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:ND

Vulnerability Information

CPE: p-cpe:/a:canonical:ubuntu_linux:dovecot-core, cpe:/o:canonical:ubuntu_linux:16.04, cpe:/o:canonical:ubuntu_linux:16.10

Required KB Items: Host/cpu, Host/Ubuntu, Host/Ubuntu/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2017/04/11

Reference Information

CVE: CVE-2017-2669

OSVDB: 155237

USN: 3258-2