A flaw was found in the way Dovecot handled SSL handshake failures. A remote attacker could use this flaw to crash the imap-login
and pop3-login processes.
Note that only Dovecot installations accepting SSL/TLS connections that have SSLv3 disabled are vulnerable.
Created dovecot tracking bugs for this issue:
Affects: fedora-all [bug 1216059]
Steps to reproduce, taken from http://dovecot.org/pipermail/dovecot/2015-April/100618.html:
Add to config: ssl_protocols = !SSLv2 !SSLv3
Run: openssl s_client -ssl3 -connect localhost:995
It looks like the following commit introduced the described behaviour (not confirmed):
Our RHEL versions do not have this change. Fedora has this in the source, but I still was not able to trigger a crash. It's possible that our OpenSSL versions handle this situation more gracefully, but I didn't investigate that.
This issue did not affect the versions of dovecot as shipped with Red Hat Enterprise Linux 5, 6, and 7.