Common Vulnerabilities and Exposures assigned an identifier CVE-2010-3780 to the following vulnerability: Dovecot 1.2.x before 1.2.15 allows remote authenticated users to cause a denial of service (master process outage) by simultaneously disconnecting many (1) IMAP or (2) POP3 sessions. References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3780 [2] http://www.dovecot.org/list/dovecot/2010-October/053450.html Upstream changeset: [3] http://hg.dovecot.org/dovecot-1.2/rev/e67b892c9ff3
This issue did NOT affect the versions of the dovecot package, as shipped with Red Hat Enterprise Linux 4 and 5. -- This issue does NOT affect the versions of the dovecot package, as shipped with Fedora release of 12 and 13 (relevant packages are already updated).
do we have any realiable reproducer? - "Dovecot master process *could have* died if ..." doesn't sound too convincing to me
(In reply to comment #4) > do we have any realiable reproducer? - "Dovecot master process *could have* > died if ..." doesn't sound too convincing to me I'm not aware of such reliable reproducer. You'll need to have a lot of connections at the same time (in theory 3, but not with idle master process) and still there's only (medium) chance, no guarantee.
(In reply to comment #5) > (In reply to comment #4) > > do we have any realiable reproducer? - "Dovecot master process *could have* > > died if ..." doesn't sound too convincing to me > > I'm not aware of such reliable reproducer. You'll need to have a lot of > connections at the same time (in theory 3, but not with idle master process) > and still there's only (medium) chance, no guarantee. thanks for the info so this'd be SanityOnly, no testcase will be written
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0600 https://rhn.redhat.com/errata/RHSA-2011-0600.html