CVE-2016-8562 in dovecot
A. Schulze
sca at andreasschulze.de
Fri Dec 2 17:50:05 UTC 2016
Am 02.12.2016 um 08:00 schrieb Aki Tuomi:
> Workaround is to disable auth-policy component until fix is in place.
> This can be done by commenting out all auth_policy_* settings.
Hello,
could you be more verbose on how to verify if administrators are affected?
# doveconf -n | grep auth_policy_ | wc -l
0
but there /are/ default settings:
# doveconf -d | grep auth_policy_
auth_policy_hash_mech = sha256
auth_policy_hash_nonce =
auth_policy_hash_truncate = 12
auth_policy_reject_on_fail = no
auth_policy_request_attributes = login=%{orig_username} pwhash=%{hashed_password} remote=%{real_rip}
auth_policy_server_api_header =
auth_policy_server_timeout_msecs = 2000
auth_policy_server_url =
Is such setup vulnerable?
Thanks for clarification,
Andreas
More information about the dovecot
mailing list