dovecot - Aug 2019 - CVE-2019-11500: Critical vulnerability in Dovecot and Pigeonhole

Am 30.08.19 um 10:00 schrieb Christian Balzer via
dovecot:
> When upgrading on Debian Stretch with the security fix packages all
> dovecot processes get killed and then restarted despite having
> "shutdown_clients = no" set.
This is systemd doing its "magic" (kill all control group processes), 
see https://dovecot.org/pipermail/dovecot/2016-June/104546.html
for a potential fix.

Am 30.08.19 um 17:38 schrieb Daniel Lange via dovecot:
> Am 30.08.19 um 10:00 schrieb Christian Balzer via dovecot:
>> When upgrading on Debian Stretch with the security fix packages all
>> dovecot processes get killed and then restarted despite having
>> "shutdown_clients = no" set.
> 
> This is systemd doing its "magic" (kill all control group
processes),
> see https://dovecot.org/pipermail/dovecot/2016-June/104546.html
> for a potential fix.
Actually that will not be enough in the upgrade case as the maintainer 
script calls
  deb-systemd-invoke stop dovecot.socket dovecot.service

I personally think re-connecting clients are normal operations so I 
wouldn't bother. But you could override the stop action in the systemd 
unit if you have local reasons that warrant such a hack.

Daniel,

thanks so much for the detailed pointers.

So it turns out to be both the evil that is systemd and an overzealous
upgrade script.

Apollon, should I raise a Debian bug for this?

As for reasons, how do 50k proxy session on the proxy servers and 25k imap
processes on the mailbox servers sound?

Even on a server with just 6k users and 7k imap processes that causes a
massive load spike and a far longer service interruption (about 50
seconds) than I'm happy with.

Penultimately if people do set "shutdown_clients = no" they hopefully
know
what they are doing and do expect that to work.

Regards,

Christian

On Fri, 30 Aug 2019 17:44:23 +0200 Daniel Lange via dovecot wrote:
> Am 30.08.19 um 17:38 schrieb Daniel Lange via dovecot:
> > Am 30.08.19 um 10:00 schrieb Christian Balzer via dovecot:  
> >> When upgrading on Debian Stretch with the security fix packages
all
> >> dovecot processes get killed and then restarted despite having
> >> "shutdown_clients = no" set.  
> > 
> > This is systemd doing its "magic" (kill all control group
processes),
> > see https://dovecot.org/pipermail/dovecot/2016-June/104546.html
> > for a potential fix.  
> 
> Actually that will not be enough in the upgrade case as the maintainer 
> script calls
>   deb-systemd-invoke stop dovecot.socket dovecot.service
> 
> I personally think re-connecting clients are normal operations so I 
> wouldn't bother. But you could override the stop action in the systemd 
> unit if you have local reasons that warrant such a hack.
> 

-- 
Christian Balzer        Network/Systems Engineer                
chibi at gol.com   	Rakuten Mobile Inc.

Good Morning List,

just a short question to this vulnerability. We are using a setup with dovecot
redirector/proxy frontend servers
and some backend server, which store the mailboxes. 
Is it anough to update the frontend servers if I like to fix the the
vulnerability?

greetings,
Oliver