Created attachment 190049 [details] Fix memory leak in auth_client_request_abort() A memory leak was found and fixed in dovecot, occurring when SASL authentication is aborted. I've ported the patch. It builds with poudriere 11.1 amd64. Have NOT yet tested functionally. * Upstream fix: https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060 * CVE reference: http://seclists.org/oss-sec/2018/q1/100
Running a few hours now on a low traffic server (50-100 logins per minute, few hundred concurrent connections at all times), no observed problem, no fallout.
A commit references this bug: Author: zeising Date: Mon Jan 29 20:59:18 UTC 2018 New revision: 460336 URL: https://svnweb.freebsd.org/changeset/ports/460336 Log: Add patch and fix CVE-2017-15132 Add upstream patch to fix CVE-2017-15132, memory leak in the log in process that can cause memory exhaustion. PR: 225446 Submitted by: Vladimir Krstulja Approved by: adamw (maintainer), swills (ports-secteam) MFH: 2018Q1 Security: 92b8b284-a3a2-41b1-956c-f9cf8b74f500 Changes: head/mail/dovecot/Makefile head/mail/dovecot/files/patch-src_lib-auth_auth-client-request.c
A commit references this bug: Author: zeising Date: Mon Jan 29 21:04:38 UTC 2018 New revision: 460337 URL: https://svnweb.freebsd.org/changeset/ports/460337 Log: MFH: r460336 Add patch and fix CVE-2017-15132 Add upstream patch to fix CVE-2017-15132, memory leak in the log in process that can cause memory exhaustion. PR: 225446 Submitted by: Vladimir Krstulja Approved by: adamw (maintainer), swills (ports-secteam) Security: 92b8b284-a3a2-41b1-956c-f9cf8b74f500 Approved by: ports-secteam (implicit) Changes: _U branches/2018Q1/ branches/2018Q1/mail/dovecot/Makefile branches/2018Q1/mail/dovecot/files/patch-src_lib-auth_auth-client-request.c
Fixed, thanks for your submission! Assign PR to me since I did the commit (approved by adamw on IRC).