On 02.12.2016 10:45, Jonas Wielicki wrote:

On Freitag, 2. Dezember 2016 09:00:58 CET Aki Tuomi wrote:

...

We are sorry to report that we have a bug in dovecot, which merits a CVE. See details below. If you haven't configured any auth_policy_* settings you are ok. This is fixed with https://git.dovecot.net/dovecot/core/commit/c3d3faa4f72a676e183f34be960cff13 a5a725ae and https://git.dovecot.net/dovecot/core/commit/99abb1302ae693ccdfe0d57351fd42c6 7a8612fc

Important vulnerability in Dovecot (CVE-2016-8562) Are you sure about the CVE number? According to Debian 1 and mitre 2, it’s for SIEMENS something, not Dovecot.

best regards, Jonas Wielicki

Ups, sent wrong number, correct is CVE-2016-8652.

Aki

On 03/12/2016 12:08, Jeremiah C. Foster wrote:

On Fri, 2016-12-02 at 10:48 +0200, Aki Tuomi wrote: On 02.12.2016 10:45, Jonas Wielicki wrote: On Freitag, 2. Dezember 2016 09:00:58 CET Aki Tuomi wrote: We are sorry to report that we have a bug in dovecot, which merits a CVE. See details below. If you haven't configured any auth_policy_* settings you are ok. This is fixed with https://git.dovecot.net/dovecot/core/commit/c3d3faa4f72a676e183f3 4be960cff13 a5a725ae and https://git.dovecot.net/dovecot/core/commit/99abb1302ae693ccdfe0d 57351fd42c6 7a8612fc

Important vulnerability in Dovecot (CVE-2016-8562) Are you sure about the CVE number? According to Debian [1 1] and mitre [2 2], it's for SIEMENS something, not Dovecot.

best regards, Jonas Wielicki

2

Ups, sent wrong number, correct is CVE-2016-8652. That is the same number, no?

No, read it again. the wrong and pasted copie are 8 5 62, his revised is 8 6 52

-- Kind Regard,

Noel Butler

	This Email, including any attachments, may contain legally privileged

information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [3] and ODF [4] documents accepted, please do not send proprietary formatted documents

Links:

1 https://security-tracker.debian.org/tracker/CVE-2016-8562 2 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-856 [3] http://www.adobe.com/ [4] http://en.wikipedia.org/wiki/OpenDocument

On December 3, 2016 at 9:11 PM "Jeremiah C. Foster" jeremiah@jeremiahfoster.com wrote:

On Sat, 2016-12-03 at 12:23 +1000, Noel Butler wrote:

...

On 03/12/2016 12:08, Jeremiah C. Foster wrote:

...

On Fri, 2016-12-02 at 10:48 +0200, Aki Tuomi wrote: On 02.12.2016 10:45, Jonas Wielicki wrote: On Freitag, 2. Dezember 2016 09:00:58 CET Aki Tuomi wrote: We are sorry to report that we have a bug in dovecot, which merits a CVE. See details below. If you haven't configured any auth_policy_* settings you are ok. This is fixed with https://git.dovecot.net/dovecot/core/commit/c3d3faa4f72a676e183f3 4be960cff13 a5a725ae and https://git.dovecot.net/dovecot/core/commit/99abb1302ae693ccdfe0d 57351fd42c6 7a8612fc

Important vulnerability in Dovecot (CVE-2016-8562) Are you sure about the CVE number? According to Debian [1 1] and mitre [2 2], it's for SIEMENS something, not Dovecot.

best regards, Jonas Wielicki

2

Ups, sent wrong number, correct is CVE-2016-8652. That is the same number, no?

No, read it again. the wrong and pasted copie are 8 5 62, his revised is 8 6 52

Ah, thank you. So I guess the CVE is then here: https://cve.mitre.org/c gi-bin/cvename.cgi?name=CVE-2016-8652 but this doesn't provide a whole lot more information yet.

Cheers,

Jeremiah

Hi!

What piece of information are you missing?

Aki

On December 3, 2016 at 11:00 PM "Jeremiah C. Foster" jeremiah@jeremiahfoster.com wrote:

On Sat, 2016-12-03 at 21:25 +0200, Aki Tuomi wrote:

...

...

On December 3, 2016 at 9:11 PM "Jeremiah C. Foster" wrote:

On Sat, 2016-12-03 at 12:23 +1000, Noel Butler wrote:

...

On 03/12/2016 12:08, Jeremiah C. Foster wrote:

...

On Fri, 2016-12-02 at 10:48 +0200, Aki Tuomi wrote: On 02.12.2016 10:45, Jonas Wielicki wrote: On Freitag, 2. Dezember 2016 09:00:58 CET Aki Tuomi wrote:

<snip>

...

...

...

...

Important vulnerability in Dovecot (CVE-2016-8562) Are you sure about the CVE number? According to Debian [1 [1]] and mitre [2 [2]], it's for SIEMENS something, not Dovecot.

best regards, Jonas Wielicki

[1]: [2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-85 6 2

Ups, sent wrong number, correct is CVE-2016-8652. That is the same number, no?

No, read it again. the wrong and pasted copie are 8 5 62, his revised is 8 6 52

Ah, thank you. So I guess the CVE is then here: https://cve.mitre.o rg/c gi-bin/cvename.cgi?name=CVE-2016-8652 but this doesn't provide a whole lot more information yet.

Cheers,

Jeremiah

Hi!

What piece of information are you missing?

Well the CVE web page says in the description: '** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."

Yes, it can take some time for that to update, what with this being unembargoed on Friday in first place.

Looking at this https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=84660 5 in Debian's bug tracker it appears there is not yet a fix.

Interesting, there is a fix. Debian has probably not yet updated their page, for similar reasons as above.

I guess ideally I'm looking for a way to determine if I am affected, and if I am affected to mitigate or patch the problem.

In this thread there was a discussion about checking via the doveconf tool; doveconf -n | grep auth_policy_ | wc -l. Is this the best approach?

Then I imagine I need to check "the critical values auth_policy_server_url and auth_policy_hash_nonce" to see if those are set. If they are set what does one do? I guess that question is better asked once I've determined that I'm affected.

If they are set, either apply the mentioned patch, upgrade to 2.2.27, or ensure their value is empty or they are commented out. Otherwise you are at risk.

Aki

Thanks,

Jeremiah

...

Aki

On December 2, 2016 at 7:50 PM "A. Schulze" sca@andreasschulze.de wrote:

Am 02.12.2016 um 08:00 schrieb Aki Tuomi:

...

Workaround is to disable auth-policy component until fix is in place. This can be done by commenting out all auth_policy_* settings.

Hello,

could you be more verbose on how to verify if administrators are affected?

# doveconf -n | grep auth_policy_ | wc -l 0

but there /are/ default settings: # doveconf -d | grep auth_policy_ auth_policy_hash_mech = sha256 auth_policy_hash_nonce = auth_policy_hash_truncate = 12 auth_policy_reject_on_fail = no auth_policy_request_attributes = login=%{orig_username} pwhash=%{hashed_password} remote=%{real_rip} auth_policy_server_api_header = auth_policy_server_timeout_msecs = 2000 auth_policy_server_url =

Is such setup vulnerable?

Thanks for clarification, Andreas

Your setup is not vulnerable, the critical values are auth_policy_server_url and auth_policy_hash_nonce. Those are unset in your config.

Aki

On 05.12.2016 09:53, Marc Schiffbauer wrote:

• Aki Tuomi schrieb am 02.12.16 um 08:00 Uhr:

Hi Aki,

...

We are sorry to report that we have a bug in dovecot, which merits a CVE. See details below. If you haven't configured any auth_policy_* settings you are ok. This is fixed with https://git.dovecot.net/dovecot/core/commit/c3d3faa4f72a676e183f34be960cff13... and https://git.dovecot.net/dovecot/core/commit/99abb1302ae693ccdfe0d57351fd42c6...

Important vulnerability in Dovecot (CVE-2016-8562) CVSS score: 7.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H) Affected version(s): 2.2.25.1 up to 2.2.26.1 Fixed in: 2.2.27.1rc1 I think either it should read "up to 2.2.27" or "Fixed in: 2.2.27"

Or how about version 2.2.27? (without .1)

TIA -Marc

I guess so, we'll take note of this.

Aki