Your message dated Wed, 12 Oct 2016 17:15:49 +0300 with message-id <20161012141549.3aaxgx7vs42pt...@bunk.spdns.de> and subject line Already fixed in oldstable has caused the Debian Bug report #765473, regarding dovecot-common: Dovecot (previous to V2.1) doesn't allow to disable SSLv3 which is bad: CVE-2014-3566 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 765473: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765473 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: dovecot-common Version: 1:1.2.15-7 Severity: grave Tags: security squeeze upstream Justification: user security hole Hi there, I guess everybody knows by now that CVE-2014-3566 changes the status of SSLv3 from mostly-obsolete to mostly-broken. Unfortunately dovecot previous to 2.1 doesn't distinguish between security protocols and cyphers. Therefore simply disabling SSLv3 in dovecot.conf like this ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLv3 will apparently disable all cyphers. There is a simple one line patch available for dovecot 2.0. Maybe a similar way exists for 1.2. best regards -henrik -- System Information: Debian Release: 6.0.10 APT prefers squeeze-lts APT policy: (500, 'squeeze-lts'), (500, 'oldstable') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages dovecot-common depends on: ii adduser 3.112+nmu2 add and remove users and groups ii libbz2-1.0 1.0.5-6+squeeze1 high-quality block-sorting file co ii libc6 2.11.3-4+deb6u1 Embedded GNU C Library: Shared lib ii libcomerr2 1.41.12-4stable1 common error description library ii libdb4.8 4.8.30-2 Berkeley v4.8 Database Libraries [ ii libgssapi-krb5-2 1.8.3+dfsg-4squeeze8 MIT Kerberos runtime libraries - k ii libk5crypto3 1.8.3+dfsg-4squeeze8 MIT Kerberos runtime libraries - C ii libkrb5-3 1.8.3+dfsg-4squeeze8 MIT Kerberos runtime libraries ii libldap-2.4-2 2.4.23-7.3 OpenLDAP libraries ii libmysqlclient16 5.1.73-1 MySQL database client library ii libpam-runtime 1.1.1-6.1+squeeze1 Runtime support for the PAM librar ii libpam0g 1.1.1-6.1+squeeze1 Pluggable Authentication Modules l ii libpq5 8.4.22-0+deb6u1 PostgreSQL C client library ii libsqlite3-0 3.7.3-1 SQLite 3 shared library ii libssl0.9.8 0.9.8o-4squeeze17 SSL shared libraries ii openssl 0.9.8o-4squeeze17 Secure Socket Layer (SSL) binary a ii ucf 3.0025+nmu1 Update Configuration File: preserv ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime dovecot-common recommends no packages. Versions of packages dovecot-common suggests: pn ntp <none> (no description available) -- no debconf information
--- End Message ---
--- Begin Message ---Squeeze is no longer supported (not even LTS supported), and this bug is already fixed in oldstable. cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed
--- End Message ---
