Your message dated Wed, 12 Oct 2016 17:15:49 +0300
with message-id <>
and subject line Already fixed in oldstable
has caused the Debian Bug report #765473,
regarding dovecot-common: Dovecot (previous to V2.1) doesn't allow to disable 
SSLv3 which is bad: CVE-2014-3566
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact

Debian Bug Tracking System
Contact with problems
--- Begin Message ---
Package: dovecot-common
Version: 1:1.2.15-7
Severity: grave
Tags: security squeeze upstream
Justification: user security hole

Hi there,

I guess everybody knows by now that CVE-2014-3566 changes the status
of SSLv3 from mostly-obsolete to mostly-broken.

Unfortunately dovecot previous to 2.1 doesn't distinguish between security
protocols and cyphers. Therefore simply disabling SSLv3 in dovecot.conf
like this

ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLv3

will apparently disable all cyphers.

There is a simple one line patch available for dovecot 2.0.
Maybe a similar way exists for 1.2.

best regards

-- System Information:
Debian Release: 6.0.10
  APT prefers squeeze-lts
  APT policy: (500, 'squeeze-lts'), (500, 'oldstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages dovecot-common depends on:
ii  adduser             3.112+nmu2           add and remove users and groups
ii  libbz2-1.0          1.0.5-6+squeeze1     high-quality block-sorting file co
ii  libc6               2.11.3-4+deb6u1      Embedded GNU C Library: Shared lib
ii  libcomerr2          1.41.12-4stable1     common error description library
ii  libdb4.8            4.8.30-2             Berkeley v4.8 Database Libraries [
ii  libgssapi-krb5-2    1.8.3+dfsg-4squeeze8 MIT Kerberos runtime libraries - k
ii  libk5crypto3        1.8.3+dfsg-4squeeze8 MIT Kerberos runtime libraries - C
ii  libkrb5-3           1.8.3+dfsg-4squeeze8 MIT Kerberos runtime libraries
ii  libldap-2.4-2       2.4.23-7.3           OpenLDAP libraries
ii  libmysqlclient16    5.1.73-1             MySQL database client library
ii  libpam-runtime      1.1.1-6.1+squeeze1   Runtime support for the PAM librar
ii  libpam0g            1.1.1-6.1+squeeze1   Pluggable Authentication Modules l
ii  libpq5              8.4.22-0+deb6u1      PostgreSQL C client library
ii  libsqlite3-0        3.7.3-1              SQLite 3 shared library
ii  libssl0.9.8         0.9.8o-4squeeze17    SSL shared libraries
ii  openssl             0.9.8o-4squeeze17    Secure Socket Layer (SSL) binary a
ii  ucf                 3.0025+nmu1          Update Configuration File: preserv
ii  zlib1g              1:     compression library - runtime

dovecot-common recommends no packages.

Versions of packages dovecot-common suggests:
pn  ntp                           <none>     (no description available)

-- no debconf information

--- End Message ---
--- Begin Message ---
Squeeze is no longer supported (not even LTS supported), and this bug is 
already fixed in oldstable.



       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

--- End Message ---

Reply via email to