[Secure-testing-team] Bug#765473: dovecot-common: Dovecot (previous to V2.1) doesn't allow to disable SSLv3 which is bad: CVE-2014-3566

Henrik Langos hlangos-debNOSPAM at innominate.com
Wed Oct 15 12:07:48 UTC 2014 

Package: dovecot-common
Version: 1:1.2.15-7
Severity: grave
Tags: security squeeze upstream
Justification: user security hole

Hi there,

I guess everybody knows by now that CVE-2014-3566 changes the status
of SSLv3 from mostly-obsolete to mostly-broken.

Unfortunately dovecot previous to 2.1 doesn't distinguish between security
protocols and cyphers. Therefore simply disabling SSLv3 in dovecot.conf
like this

ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLv3

will apparently disable all cyphers.

There is a simple one line patch available for dovecot 2.0.
Maybe a similar way exists for 1.2.

best regards
-henrik 


-- System Information:
Debian Release: 6.0.10
  APT prefers squeeze-lts
  APT policy: (500, 'squeeze-lts'), (500, 'oldstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages dovecot-common depends on:
ii  adduser             3.112+nmu2           add and remove users and groups
ii  libbz2-1.0          1.0.5-6+squeeze1     high-quality block-sorting file co
ii  libc6               2.11.3-4+deb6u1      Embedded GNU C Library: Shared lib
ii  libcomerr2          1.41.12-4stable1     common error description library
ii  libdb4.8            4.8.30-2             Berkeley v4.8 Database Libraries [
ii  libgssapi-krb5-2    1.8.3+dfsg-4squeeze8 MIT Kerberos runtime libraries - k
ii  libk5crypto3        1.8.3+dfsg-4squeeze8 MIT Kerberos runtime libraries - C
ii  libkrb5-3           1.8.3+dfsg-4squeeze8 MIT Kerberos runtime libraries
ii  libldap-2.4-2       2.4.23-7.3           OpenLDAP libraries
ii  libmysqlclient16    5.1.73-1             MySQL database client library
ii  libpam-runtime      1.1.1-6.1+squeeze1   Runtime support for the PAM librar
ii  libpam0g            1.1.1-6.1+squeeze1   Pluggable Authentication Modules l
ii  libpq5              8.4.22-0+deb6u1      PostgreSQL C client library
ii  libsqlite3-0        3.7.3-1              SQLite 3 shared library
ii  libssl0.9.8         0.9.8o-4squeeze17    SSL shared libraries
ii  openssl             0.9.8o-4squeeze17    Secure Socket Layer (SSL) binary a
ii  ucf                 3.0025+nmu1          Update Configuration File: preserv
ii  zlib1g              1:1.2.3.4.dfsg-3     compression library - runtime

dovecot-common recommends no packages.

Versions of packages dovecot-common suggests:
pn  ntp                           <none>     (no description available)

-- no debconf information

More information about the Secure-testing-team mailing list