A flaw was found in the way Dovecot handled SSL handshake failures. A remote attacker could use this flaw to crash the imap-login and pop3-login processes. Note that only Dovecot installations accepting SSL/TLS connections that have SSLv3 disabled are vulnerable. Additional details: http://dovecot.org/pipermail/dovecot/2015-April/100618.html http://seclists.org/oss-sec/2015/q2/288 Upstream patch: http://hg.dovecot.org/dovecot-2.2/rev/86f535375750
Created dovecot tracking bugs for this issue: Affects: fedora-all [bug 1216059]
Steps to reproduce, taken from http://dovecot.org/pipermail/dovecot/2015-April/100618.html: Add to config: ssl_protocols = !SSLv2 !SSLv3 Run: openssl s_client -ssl3 -connect localhost:995 It looks like the following commit introduced the described behaviour (not confirmed): http://hg.dovecot.org/dovecot-2.2/diff/09d3c9c6f0ad/src/login-common/ssl-proxy-openssl.c Our RHEL versions do not have this change. Fedora has this in the source, but I still was not able to trigger a crash. It's possible that our OpenSSL versions handle this situation more gracefully, but I didn't investigate that.
Statement: This issue did not affect the versions of dovecot as shipped with Red Hat Enterprise Linux 5, 6, and 7.