CVE-2017-15132

HIGH

dovecot 2.0-2.2.33 - Memory Leak via SASL Authentication Abort

Title source: llm

Description

A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL authentication results in a memory leak in dovecot's auth client used by login processes. The leak has impact in high performance configuration where same login processes are reused and can cause the process to crash due to memory exhaustion.

References (7)

Core 7

Core References

Patch, Third Party Advisory x_refsource_confirm

https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html

Issue Tracking, Patch, Third Party Advisory x_refsource_confirm

https://bugzilla.redhat.com/show_bug.cgi?id=1532768

Third Party Advisory vendor-advisory x_refsource_debian

https://www.debian.org/security/2018/dsa-4130

Third Party Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/3556-1/

Third Party Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/3556-2/

Vendor Advisory mailing-list x_refsource_mlist

https://www.dovecot.org/list/dovecot-news/2018-February/000370.html

Scores

CVSS v3 7.5

EPSS 0.0318

EPSS Percentile 86.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-772 CWE-400

Status published

Products (9)

canonical/ubuntu_linux 12.04

canonical/ubuntu_linux 14.04

canonical/ubuntu_linux 16.04

canonical/ubuntu_linux 17.10

debian/debian_linux 7.0

debian/debian_linux 8.0

debian/debian_linux 9.0

dovecot/dovecot 2.3.0

dovecot/dovecot 2.0.0 - 2.2.33

Published Jan 25, 2018

Tracked Since Feb 18, 2026