Re: CVE-2016-8562 in dovecot
On 05.12.2016 09:53, Marc Schiffbauer wrote: > * Aki Tuomi schrieb am 02.12.16 um 08:00 Uhr: > > Hi Aki, > >> We are sorry to report that we have a bug in dovecot, which merits a >> CVE. See details below. If you haven't configured any auth_policy_* >> settings you are ok. This is fixed with >> https://git.dovecot.net/dovecot/core/commit/c3d3faa4f72a676e183f34be960cff13a5a725ae >> and >> https://git.dovecot.net/dovecot/core/commit/99abb1302ae693ccdfe0d57351fd42c67a8612fc >> >> Important vulnerability in Dovecot (CVE-2016-8562) >> CVSS score: 7.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H) >> Affected version(s): 2.2.25.1 up to 2.2.26.1 >> Fixed in: 2.2.27.1rc1 > I think either it should read "up to 2.2.27" > or > "Fixed in: 2.2.27" > > Or how about version 2.2.27? (without .1) > > TIA > -Marc > I guess so, we'll take note of this. Aki
Re: CVE-2016-8562 in dovecot
* Aki Tuomi schrieb am 02.12.16 um 08:00 Uhr: Hi Aki, > We are sorry to report that we have a bug in dovecot, which merits a > CVE. See details below. If you haven't configured any auth_policy_* > settings you are ok. This is fixed with > https://git.dovecot.net/dovecot/core/commit/c3d3faa4f72a676e183f34be960cff13a5a725ae > and > https://git.dovecot.net/dovecot/core/commit/99abb1302ae693ccdfe0d57351fd42c67a8612fc > > Important vulnerability in Dovecot (CVE-2016-8562) > CVSS score: 7.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H) > Affected version(s): 2.2.25.1 up to 2.2.26.1 > Fixed in: 2.2.27.1rc1 I think either it should read "up to 2.2.27" or "Fixed in: 2.2.27" Or how about version 2.2.27? (without .1) TIA -Marc -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: CVE-2016-8562 in dovecot
> On December 2, 2016 at 7:50 PM "A. Schulze"wrote: > > > > > Am 02.12.2016 um 08:00 schrieb Aki Tuomi: > > Workaround is to disable auth-policy component until fix is in place. > > This can be done by commenting out all auth_policy_* settings. > > Hello, > > could you be more verbose on how to verify if administrators are affected? > > # doveconf -n | grep auth_policy_ | wc -l > 0 > > but there /are/ default settings: > # doveconf -d | grep auth_policy_ > auth_policy_hash_mech = sha256 > auth_policy_hash_nonce = > auth_policy_hash_truncate = 12 > auth_policy_reject_on_fail = no > auth_policy_request_attributes = login=%{orig_username} > pwhash=%{hashed_password} remote=%{real_rip} > auth_policy_server_api_header = > auth_policy_server_timeout_msecs = 2000 > auth_policy_server_url = > > Is such setup vulnerable? > > Thanks for clarification, > Andreas Your setup is not vulnerable, the critical values are auth_policy_server_url and auth_policy_hash_nonce. Those are unset in your config. Aki
Re: CVE-2016-8562 in dovecot
Am 02.12.2016 um 08:00 schrieb Aki Tuomi: > Workaround is to disable auth-policy component until fix is in place. > This can be done by commenting out all auth_policy_* settings. Hello, could you be more verbose on how to verify if administrators are affected? # doveconf -n | grep auth_policy_ | wc -l 0 but there /are/ default settings: # doveconf -d | grep auth_policy_ auth_policy_hash_mech = sha256 auth_policy_hash_nonce = auth_policy_hash_truncate = 12 auth_policy_reject_on_fail = no auth_policy_request_attributes = login=%{orig_username} pwhash=%{hashed_password} remote=%{real_rip} auth_policy_server_api_header = auth_policy_server_timeout_msecs = 2000 auth_policy_server_url = Is such setup vulnerable? Thanks for clarification, Andreas
Re: CVE-2016-8562 in dovecot
On Freitag, 2. Dezember 2016 09:00:58 CET Aki Tuomi wrote: > We are sorry to report that we have a bug in dovecot, which merits a > CVE. See details below. If you haven't configured any auth_policy_* > settings you are ok. This is fixed with > https://git.dovecot.net/dovecot/core/commit/c3d3faa4f72a676e183f34be960cff13 > a5a725ae and > https://git.dovecot.net/dovecot/core/commit/99abb1302ae693ccdfe0d57351fd42c6 > 7a8612fc > > Important vulnerability in Dovecot (CVE-2016-8562) Are you sure about the CVE number? According to Debian [1] and mitre [2], it’s for SIEMENS something, not Dovecot. best regards, Jonas Wielicki [1]: https://security-tracker.debian.org/tracker/CVE-2016-8562 [2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8562 signature.asc Description: This is a digitally signed message part.
CVE-2016-8562 in dovecot
We are sorry to report that we have a bug in dovecot, which merits a CVE. See details below. If you haven't configured any auth_policy_* settings you are ok. This is fixed with https://git.dovecot.net/dovecot/core/commit/c3d3faa4f72a676e183f34be960cff13a5a725ae and https://git.dovecot.net/dovecot/core/commit/99abb1302ae693ccdfe0d57351fd42c67a8612fc Important vulnerability in Dovecot (CVE-2016-8562) CVSS score: 7.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H) Affected version(s): 2.2.25.1 up to 2.2.26.1 Fixed in: 2.2.27.1rc1 Short summary: Dovecot auth component can be crashed by remote user when auth-policy component is activated. If auth-policy component has been activated in Dovecot, then remote user can use SASL authentication to crash auth component. Workaround is to disable auth-policy component until fix is in place. This can be done by commenting out all auth_policy_* settings. Aki Tuomi Dovecot oy