Your message dated Wed, 12 Oct 2016 17:15:49 +0300
with message-id <20161012141549.3aaxgx7vs42pt...@bunk.spdns.de>
and subject line Already fixed in oldstable
has caused the Debian Bug report #765473,
regarding dovecot-common: Dovecot (previous to V2.1) doesn't allow to disable
SSLv3 which is bad: CVE-2014-3566
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
765473: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765473
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: dovecot-common
Version: 1:1.2.15-7
Severity: grave
Tags: security squeeze upstream
Justification: user security hole
Hi there,
I guess everybody knows by now that CVE-2014-3566 changes the status
of SSLv3 from mostly-obsolete to mostly-broken.
Unfortunately dovecot previous to 2.1 doesn't distinguish between security
protocols and cyphers. Therefore simply disabling SSLv3 in dovecot.conf
like this
ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLv3
will apparently disable all cyphers.
There is a simple one line patch available for dovecot 2.0.
Maybe a similar way exists for 1.2.
best regards
-henrik
-- System Information:
Debian Release: 6.0.10
APT prefers squeeze-lts
APT policy: (500, 'squeeze-lts'), (500, 'oldstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages dovecot-common depends on:
ii adduser 3.112+nmu2 add and remove users and groups
ii libbz2-1.0 1.0.5-6+squeeze1 high-quality block-sorting file co
ii libc6 2.11.3-4+deb6u1 Embedded GNU C Library: Shared lib
ii libcomerr2 1.41.12-4stable1 common error description library
ii libdb4.8 4.8.30-2 Berkeley v4.8 Database Libraries [
ii libgssapi-krb5-2 1.8.3+dfsg-4squeeze8 MIT Kerberos runtime libraries - k
ii libk5crypto3 1.8.3+dfsg-4squeeze8 MIT Kerberos runtime libraries - C
ii libkrb5-3 1.8.3+dfsg-4squeeze8 MIT Kerberos runtime libraries
ii libldap-2.4-2 2.4.23-7.3 OpenLDAP libraries
ii libmysqlclient16 5.1.73-1 MySQL database client library
ii libpam-runtime 1.1.1-6.1+squeeze1 Runtime support for the PAM librar
ii libpam0g 1.1.1-6.1+squeeze1 Pluggable Authentication Modules l
ii libpq5 8.4.22-0+deb6u1 PostgreSQL C client library
ii libsqlite3-0 3.7.3-1 SQLite 3 shared library
ii libssl0.9.8 0.9.8o-4squeeze17 SSL shared libraries
ii openssl 0.9.8o-4squeeze17 Secure Socket Layer (SSL) binary a
ii ucf 3.0025+nmu1 Update Configuration File: preserv
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
dovecot-common recommends no packages.
Versions of packages dovecot-common suggests:
pn ntp <none> (no description available)
-- no debconf information
--- End Message ---
--- Begin Message ---
Squeeze is no longer supported (not even LTS supported), and this bug is
already fixed in oldstable.
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
--- End Message ---