Bug 1570017
Summary: | Premature LOGOUT disconnect on SSL connections - BYE not flushed / correctly sent | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Graham Leggett <minfrin> |
Component: | dovecot | Assignee: | Michal Hlavinka <mhlavink> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | BaseOS QE - Apps <qe-baseos-apps> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.7 | Keywords: | Patch |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-02-07 18:27:12 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Graham Leggett
2018-04-20 12:51:50 UTC
A fix for this bug appears to have been applied to dovecot in 2014: https://dovecot.org/list/dovecot-cvs/2014-June/024504.html The fix was distributed in Debian here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=751682 Redhat appeared to not distribute the fix for CVE-2015-3420: https://access.redhat.com/security/cve/cve-2015-3420 The following bug report claimed that the dovecot fix described above caused the CVE, which doesn't seem to make sense: https://bugzilla.redhat.com/show_bug.cgi?id=1216057 Downloaded the SRPM for dovecot and applied the following two patches, and the problem was fixed: https://dovecot.org/list/dovecot-cvs/2014-June/024504.html https://www.dovecot.org/list/dovecot-cvs/2014-June/024509.html Upstream fixed this for dovecot 2.2.17, we have updated to dovecot 2.2.36 that contains that fix. |