Re: CVE-2016-8652 in dovecot

3 Dec 2016


      ...
On December 3, 2016 at 11:00 PM "Jeremiah C. Foster" jeremiah@jeremiahfoster.com wrote:
On Sat, 2016-12-03 at 21:25 +0200, Aki Tuomi wrote:
...
...
On December 3, 2016 at 9:11 PM "Jeremiah C. Foster"  wrote:
On Sat, 2016-12-03 at 12:23 +1000, Noel Butler wrote:
...
On 03/12/2016 12:08, Jeremiah C. Foster wrote:
...
On Fri, 2016-12-02 at 10:48 +0200, Aki Tuomi wrote:
On 02.12.2016 10:45, Jonas Wielicki wrote: On Freitag, 2.
Dezember
2016 09:00:58 CET Aki Tuomi wrote:
<snip>
...
...
...
...
Important vulnerability in Dovecot (CVE-2016-8562)
Are you sure about the CVE number? According to Debian [1 [1]]
and
mitre [2 [2]], it's
for SIEMENS something, not Dovecot.
best regards,
Jonas Wielicki
[1]:
[2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-85
6
2
Ups, sent wrong number, correct is CVE-2016-8652.
That is the same number, no?
No, read it again. the wrong and pasted copie are 8 5 62, his
revised
is
8 6 52
Ah, thank you. So I guess the CVE is then here: https://cve.mitre.o
rg/c
gi-bin/cvename.cgi?name=CVE-2016-8652 but this doesn't provide a
whole
lot more information yet.
Cheers,
Jeremiah
Hi!
What piece of information are you missing?
Well the CVE web page says in the description: '** RESERVED ** This
candidate has been reserved by an organization or individual that will
use it when announcing a new security problem. When the candidate has
been publicized, the details for this candidate will be provided."
Yes, it can take some time for that to update, what with this being unembargoed on Friday in first place.
...
Looking at this https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=84660
5 in Debian's bug tracker it appears there is not yet a fix.
Interesting, there is a fix. Debian has probably not yet updated their page, for similar reasons as above.
...
I guess ideally I'm looking for a way to determine if I am affected,
and if I am affected to mitigate or patch the problem.
In this thread there was a discussion about checking via the doveconf
tool; doveconf -n | grep auth_policy_ | wc -l. Is this the best
approach?
Then I imagine I need to check "the critical values
auth_policy_server_url and auth_policy_hash_nonce" to see if those are
set. If they are set what does one do? I guess that question is better
asked once I've determined that I'm affected.
If they are set, either apply the mentioned patch, upgrade to 2.2.27, or ensure their value is empty or they are commented out. Otherwise you are at risk.
Aki
...
Thanks,
Jeremiah
...
Aki