Control: reassign -1 src:courier 1.0.16-3 Control: retitle -1 courier: CVE-2021-38084 Control: found -1 1.0.6-1
Hi, On Wed, Jun 02, 2021 at 08:59:02AM +0200, Sysadmin HTL Leonding wrote: > Package: courier-pop > Severity: important > > Dear Maintainer, > > Uni Münster did a vulnerability scan on the Internet and reported a Debian > server running > courier-pop to be vulnerable to the equivalent of CVE-2011-0411. The system > information > is from another system, but the issue exists in the upstream source, so it > doesn't matter. > > The suggested fixes from > www.postfix.org/CVE-2011-0411.html > have never been implemented in courier-pop (according to the researchers only > in the IMAP > implementation). > > There has been a very old bug report for Ubuntu (Debian security team asked > me to open a ticket > in Debian BTS for this): > https://bugs.launchpad.net/ubuntu/+source/courier/+bug/1194892 > > In the meanwhile I got the information from a courier developer that while > courier-pop > is vulnerable to the same issue as the other programs (where fixes have been > implemented) > according to him there has never been an practically exploit given the > limitations of the > POP3 protocol. The only possibility for an attacker would be to cause the > server to send back > errors or failures to the login request and as the attacker is already MITM > he/she could do > that anyway. > > As a measure of defense in depth and to prevent Internet scans to cause > "noise", it might > be still a good idea to implement the suggested fixes in the POP3 > implementation too. > > Or someone could declare STARTTLS as anyway broken (then it should be > disabled in config > and documented there) and users should use the TLS-only ports as researchers > recommended > as workaround. This has now a own CVE, CVE-2021-38084. Fixed upstream in 1.1.5 according to https://sourceforge.net/p/courier/mailman/message/37329216/ . Regards, Salvatore