Re: CVE-2016-8652 in dovecot

3 Dec 2016


      On Sat, 2016-12-03 at 21:25 +0200, Aki Tuomi wrote:
...
...
On December 3, 2016 at 9:11 PM "Jeremiah C. Foster"  wrote:
On Sat, 2016-12-03 at 12:23 +1000, Noel Butler wrote:
...
On 03/12/2016 12:08, Jeremiah C. Foster wrote:
...
On Fri, 2016-12-02 at 10:48 +0200, Aki Tuomi wrote: 
On 02.12.2016 10:45, Jonas Wielicki wrote: On Freitag, 2.
Dezember
2016 09:00:58 CET Aki Tuomi wrote:
<snip>
...
...
...
...
Important vulnerability in Dovecot (CVE-2016-8562) 
Are you sure about the CVE number? According to Debian [1 [1]]
and
mitre [2 [2]], it's 
for SIEMENS something, not Dovecot.
best regards,
Jonas Wielicki
[1]:
[2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-85
6
2
Ups, sent wrong number, correct is CVE-2016-8652. 
That is the same number, no? 
No, read it again. the wrong and pasted copie are 8 5 62, his
revised
is
8 6 52 
Ah, thank you. So I guess the CVE is then here: https://cve.mitre.o
rg/c
gi-bin/cvename.cgi?name=CVE-2016-8652 but this doesn't provide a
whole
lot more information yet.
Cheers,
Jeremiah
Hi!
What piece of information are you missing?
Well the CVE web page says in the description: '** RESERVED ** This
candidate has been reserved by an organization or individual that will
use it when announcing a new security problem. When the candidate has
been publicized, the details for this candidate will be provided."
Looking at this https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=84660
5 in Debian's bug tracker it appears there is not yet a fix.
I guess ideally I'm looking for a way to determine if I am affected,
and if I am affected to mitigate or patch the problem.
In this thread there was a discussion about checking via the doveconf
tool; doveconf -n | grep auth_policy_ | wc -l. Is this the best
approach?
Then I imagine I need to check "the critical values
auth_policy_server_url and auth_policy_hash_nonce" to see if those are
set. If they are set what does one do? I guess that question is better
asked once I've determined that I'm affected.
Thanks,
Jeremiah
...
Aki