** Description changed: - The current version of dovecot in Ubuntu 12.04 LTS, Precise Pangolin is - 2.0.19 + SRU Request: + + [Impact] + Dovecot in Precise does not contain the ssl_protocols configuration option that allows disabling SSLv3. Since there are now known weaknesses in SSLv3, it would be preferable to have an option to disable it like on later releases. + + [Test Case] + 1- Configure dovecot + 2- Connect with SSLv3 only + 3- add "ssl_protocols = !SSLv3" to dovecot configuration ile + 4- Connect with SSLv3 only + 5- Connect with TLS to make sure it still works + + Alternatively, the security team QRT script has been modified to test + for this. It can be used. + + [Regression Potential] + This touches the config file parsing code, and the SSL code. Any regression could result in the configuration file not being parsed correctly, or for some unknown issue with SSL negotiation. + + + Original description: + The current version of dovecot in Ubuntu 12.04 LTS, Precise Pangolin is 2.0.19 This version is too old to switch off SSLv3 which has been designated insecure as of the recent "poodle" discovery [1]. In dovecot versions 2.1+ the protocol can be switched off, but for older versions the source code would need to be patched [2,3] I asked the Ubuntu team to either backport a patch to 2.0.19, or package a newer version of dovecot for precise. [1] https://www.openssl.org/~bodo/ssl-poodle.pdf [2] http://askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566 [3] http://www.mail-archive.com/dovecot@dovecot.org/msg59945.html - source package in precise security: dovecot 1:2.0.19-0ubuntu2.1
** Description changed: SRU Request: [Impact] Dovecot in Precise does not contain the ssl_protocols configuration option that allows disabling SSLv3. Since there are now known weaknesses in SSLv3, it would be preferable to have an option to disable it like on later releases. + It may not be appropriate to default to having SSLv3 disabled yet. As + such, this SRU only adds the configuration option, but doesn't enable + it. + [Test Case] 1- Configure dovecot 2- Connect with SSLv3 only - 3- add "ssl_protocols = !SSLv3" to dovecot configuration ile + 3- add "ssl_protocols = !SSLv3" to dovecot configuration file 4- Connect with SSLv3 only 5- Connect with TLS to make sure it still works Alternatively, the security team QRT script has been modified to test for this. It can be used. [Regression Potential] This touches the config file parsing code, and the SSL code. Any regression could result in the configuration file not being parsed correctly, or for some unknown issue with SSL negotiation. - Original description: The current version of dovecot in Ubuntu 12.04 LTS, Precise Pangolin is 2.0.19 This version is too old to switch off SSLv3 which has been designated insecure as of the recent "poodle" discovery [1]. In dovecot versions 2.1+ the protocol can be switched off, but for older versions the source code would need to be patched [2,3] I asked the Ubuntu team to either backport a patch to 2.0.19, or package a newer version of dovecot for precise. [1] https://www.openssl.org/~bodo/ssl-poodle.pdf [2] http://askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566 [3] http://www.mail-archive.com/dovecot@dovecot.org/msg59945.html source package in precise security: dovecot 1:2.0.19-0ubuntu2.1 ** Changed in: dovecot (Ubuntu Precise) Status: Confirmed => In Progress -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dovecot in Ubuntu. https://bugs.launchpad.net/bugs/1381537 Title: Dovecot version in precise too old to switch off SSLv3 protocol for "poodle" fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/1381537/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
