Daniel Lange
2019-Aug-30 15:38 UTC
CVE-2019-11500: Critical vulnerability in Dovecot and Pigeonhole
Am 30.08.19 um 10:00 schrieb Christian Balzer via dovecot:> When upgrading on Debian Stretch with the security fix packages all > dovecot processes get killed and then restarted despite having > "shutdown_clients = no" set.This is systemd doing its "magic" (kill all control group processes), see https://dovecot.org/pipermail/dovecot/2016-June/104546.html for a potential fix.
Daniel Lange
2019-Aug-30 15:44 UTC
CVE-2019-11500: Critical vulnerability in Dovecot and Pigeonhole
Am 30.08.19 um 17:38 schrieb Daniel Lange via dovecot:> Am 30.08.19 um 10:00 schrieb Christian Balzer via dovecot: >> When upgrading on Debian Stretch with the security fix packages all >> dovecot processes get killed and then restarted despite having >> "shutdown_clients = no" set. > > This is systemd doing its "magic" (kill all control group processes), > see https://dovecot.org/pipermail/dovecot/2016-June/104546.html > for a potential fix.Actually that will not be enough in the upgrade case as the maintainer script calls deb-systemd-invoke stop dovecot.socket dovecot.service I personally think re-connecting clients are normal operations so I wouldn't bother. But you could override the stop action in the systemd unit if you have local reasons that warrant such a hack.
Christian Balzer
2019-Aug-31 02:30 UTC
CVE-2019-11500: Critical vulnerability in Dovecot and Pigeonhole
Daniel, thanks so much for the detailed pointers. So it turns out to be both the evil that is systemd and an overzealous upgrade script. Apollon, should I raise a Debian bug for this? As for reasons, how do 50k proxy session on the proxy servers and 25k imap processes on the mailbox servers sound? Even on a server with just 6k users and 7k imap processes that causes a massive load spike and a far longer service interruption (about 50 seconds) than I'm happy with. Penultimately if people do set "shutdown_clients = no" they hopefully know what they are doing and do expect that to work. Regards, Christian On Fri, 30 Aug 2019 17:44:23 +0200 Daniel Lange via dovecot wrote:> Am 30.08.19 um 17:38 schrieb Daniel Lange via dovecot: > > Am 30.08.19 um 10:00 schrieb Christian Balzer via dovecot: > >> When upgrading on Debian Stretch with the security fix packages all > >> dovecot processes get killed and then restarted despite having > >> "shutdown_clients = no" set. > > > > This is systemd doing its "magic" (kill all control group processes), > > see https://dovecot.org/pipermail/dovecot/2016-June/104546.html > > for a potential fix. > > Actually that will not be enough in the upgrade case as the maintainer > script calls > deb-systemd-invoke stop dovecot.socket dovecot.service > > I personally think re-connecting clients are normal operations so I > wouldn't bother. But you could override the stop action in the systemd > unit if you have local reasons that warrant such a hack. >-- Christian Balzer Network/Systems Engineer chibi at gol.com Rakuten Mobile Inc.
MK
2019-Sep-02 08:01 UTC
AW: CVE-2019-11500: Critical vulnerability in Dovecot and Pigeonhole
Good Morning List, just a short question to this vulnerability. We are using a setup with dovecot redirector/proxy frontend servers and some backend server, which store the mailboxes. Is it anough to update the frontend servers if I like to fix the the vulnerability? greetings, Oliver
Possibly Parallel Threads
- AW: CVE-2019-11500: Critical vulnerability in Dovecot and Pigeonhole
- CVE-2019-11500: Critical vulnerability in Dovecot and Pigeonhole
- CVE-2019-11500: Critical vulnerability in Dovecot and Pigeonhole
- CVE-2019-11500: Critical vulnerability in Dovecot and Pigeonhole
- CVE-2019-11500: Critical vulnerability in Dovecot and Pigeonhole