Bug#765473: Change defaults in testing/unstable?

Sun, 09 Nov 2014 08:45:33 -0800 

This bug is tagged squeeze and users can of course manually disable SSLv3 in 
newer
versions of Dovecot. We should also change the default value of ssl_protocols in
newer versions to be "!SSLv2 !SSLv3" to protect them by default.

Suggested fix attached.

Jelmer

commit b074edee64fadc172c72fed62fbd664c9770a0d0
Author: Jelmer Vernooij <jel...@debian.org>
Date:   Sun Nov 9 16:33:11 2014 +0000

    Disable SSLv3 by default because of CVE-2014-3566.

diff --git a/debian/dovecot-core.NEWS b/debian/dovecot-core.NEWS
index 62252f3..f4c478c 100644
--- a/debian/dovecot-core.NEWS
+++ b/debian/dovecot-core.NEWS
@@ -1,3 +1,14 @@
+dovecot (1:2.2.13-6) unstable; urgency=medium
+
+  The SSLv3 protocol is now disabled by default because of CVE-2014-3566.
+  To go back to the old default value for ssl protocols, set:
+
+    ssl_protocols = !SSLv2
+
+  in /etc/dovecot/conf.d/10-ssl.conf
+
+ -- Jelmer Vernooij <jel...@debian.org>  Sun, 09 Nov 2014 16:35:45 +0000
+
 dovecot (1:2.1.7-7) unstable; urgency=high
 
   If you are upgrading from stable or the earlier 2.1.7 packages in testing,
diff --git a/debian/patches/series b/debian/patches/series
index 762771b..70adb7d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,4 @@ exampledir.patch
 mboxlocking.patch
 dovecot_name.patch
 bye_logout_not_sent.patch
+sslv3-disable.patch
diff --git a/debian/patches/sslv3-disable.patch b/debian/patches/sslv3-disable.patch
new file mode 100644
index 0000000..c754693
--- /dev/null
+++ b/debian/patches/sslv3-disable.patch
@@ -0,0 +1,31 @@
+Author: Jelmer Vernooij <jel...@debian.org>
+Date: Sun 9 Nov 16:26:36 GMT 2014
+Description: Disable SSLv3 by default
+Bug-Debian: http://bugs.debian.org/765473
+
+diff --git a/doc/example-config/conf.d/10-ssl.conf b/doc/example-config/conf.d/10-ssl.conf
+index 7ae6b7a..e77667b 100644
+--- a/doc/example-config/conf.d/10-ssl.conf
++++ b/doc/example-config/conf.d/10-ssl.conf
+@@ -46,7 +46,7 @@ ssl_key = </etc/ssl/private/dovecot.pem
+ #ssl_dh_parameters_length = 1024
+ 
+ # SSL protocols to use
+-#ssl_protocols = !SSLv2
++#ssl_protocols = !SSLv2 !SSLv3
+ 
+ # SSL ciphers to use
+ #ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
+diff --git a/src/lib-master/master-service-ssl-settings.c b/src/lib-master/master-service-ssl-settings.c
+index e033e07..90beb8d 100644
+--- a/src/lib-master/master-service-ssl-settings.c
++++ b/src/lib-master/master-service-ssl-settings.c
+@@ -43,7 +43,7 @@ static const struct master_service_ssl_settings master_service_ssl_default_setti
+ 	.ssl_key = "",
+ 	.ssl_key_password = "",
+ 	.ssl_cipher_list = "ALL:!LOW:!SSLv2:!EXP:!aNULL",
+-	.ssl_protocols = "!SSLv2",
++	.ssl_protocols = "!SSLv2 !SSLv3",
+ 	.ssl_cert_username_field = "commonName",
+ 	.ssl_crypto_device = "",
+ 	.ssl_verify_client_cert = FALSE,

Reply via email to