Candidate: CVE-2015-3420
PublicDate: 2017-09-19 15:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3420
 http://dovecot.org/pipermail/dovecot/2015-April/100618.html
 http://www.openwall.com/lists/oss-security/2015/04/26/3
Description:
 The ssl-proxy-openssl.c function in Dovecot before 2.2.17, when SSLv3 is
 disabled, allow remote attackers to cause a denial of service (login
 process crash) via vectors related to handshake failures.
Ubuntu-Description:
Notes:
 tyhicks> Thanks to Hanno's analysis on the dovecot list, I believe that the
  issue was introduced by http://hg.dovecot.org/dovecot-2.2/rev/09d3c9c6f0ad.
  That commit was first released in 2.2.14.
Bugs:
Priority: medium
Discovered-by: Hanno Böck
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H [5.9 MEDIUM]

Patches_dovecot:
upstream_dovecot: needed
lucid_dovecot: not-affected
precise_dovecot: not-affected
trusty_dovecot: not-affected
trusty/esm_dovecot: not-affected
utopic_dovecot: not-affected
vivid_dovecot: not-affected (1:2.2.9-1ubuntu5)
devel_dovecot: DNE