Re: testing dovecot for Wheezy LTS

To: Thorsten Alteholz <debian@alteholz.de>, debian-lts@lists.debian.org
Subject: Re: testing dovecot for Wheezy LTS
From: Antoine Beaupré <anarcat@orangeseeds.org>
Date: Thu, 29 Mar 2018 15:21:55 -0400
Message-id: <[🔎] 87woxu4rho.fsf@curie.anarc.at>
In-reply-to: <[🔎] alpine.DEB.2.02.1803262238430.24685@jupiter.server.alteholz.net>
References: <[🔎] alpine.DEB.2.02.1803262238430.24685@jupiter.server.alteholz.net>

On 2018-03-26 22:40:38, Thorsten Alteholz wrote:
> Hi everybody,
>
> I uploaded version 1:2.1.7-7+deb7u2 of dovecot to:
>
> https://people.debian.org/~alteholz/packages/wheezy-lts/dovecot/
>
> It contains patches for CVE-2017-14461, CVE-2017-15130 and CVE-2017-15132.
>
> Please give it a try and tell me about any problems you met.

I do not have a production Dovecot environment running wheezy anymore.
I was able to reproduce CVE-2017-14461 in a Vagrant VM and can confirm
that issue is fixed by your test packages.

So consider this a working smoke test.

For what it's worth, I have crafted this reproducer from the advisory:

printf "From: attacker@nevermind\nSubject: test\nContent-Type: message/rfc822\n\nFrom: aaaa@(\nFrom: a(aa\n" | /usr/lib/dovecot/dovecot-lda -d vagrant

Before, it crashes, now it delivers.

Cheers!

A.
-- 
Nature hides her secret because of her essential loftiness, but not by
means of ruse.
                       - Albert Einstein

Reply to:

References:
- testing dovecot for Wheezy LTS
  - From: Thorsten Alteholz <debian@alteholz.de>

Prev by Date: Re: nVidia drivers for kernel 3.2.96-3 (3.0.2-5)
Next by Date: Re: [SECURITY] [DLA 1283-1] python-crypto security update
Previous by thread: testing dovecot for Wheezy LTS
Next by thread: "highly critical" DRUPAL-PSA-2018-001
Index(es):
- Date
- Thread