CVE-2016-8562 in dovecot
Aki Tuomi
aki.tuomi at dovecot.fi
Fri Dec 2 19:45:36 UTC 2016
> On December 2, 2016 at 7:50 PM "A. Schulze" <sca at andreasschulze.de> wrote:
>
>
>
>
> Am 02.12.2016 um 08:00 schrieb Aki Tuomi:
> > Workaround is to disable auth-policy component until fix is in place.
> > This can be done by commenting out all auth_policy_* settings.
>
> Hello,
>
> could you be more verbose on how to verify if administrators are affected?
>
> # doveconf -n | grep auth_policy_ | wc -l
> 0
>
> but there /are/ default settings:
> # doveconf -d | grep auth_policy_
> auth_policy_hash_mech = sha256
> auth_policy_hash_nonce =
> auth_policy_hash_truncate = 12
> auth_policy_reject_on_fail = no
> auth_policy_request_attributes = login=%{orig_username} pwhash=%{hashed_password} remote=%{real_rip}
> auth_policy_server_api_header =
> auth_policy_server_timeout_msecs = 2000
> auth_policy_server_url =
>
> Is such setup vulnerable?
>
> Thanks for clarification,
> Andreas
Your setup is not vulnerable, the critical values are auth_policy_server_url and auth_policy_hash_nonce. Those are unset in your config.
Aki
More information about the dovecot
mailing list