CVE-2016-8652 in dovecot

Aki Tuomi aki.tuomi at dovecot.fi
Sat Dec 3 21:42:39 UTC 2016


> On December 3, 2016 at 11:00 PM "Jeremiah C. Foster" <jeremiah at jeremiahfoster.com> wrote:
> 
> 
> On Sat, 2016-12-03 at 21:25 +0200, Aki Tuomi wrote:
> > > On December 3, 2016 at 9:11 PM "Jeremiah C. Foster" <jeremiah at jerem
> > > iahfoster.com> wrote:
> > > 
> > > On Sat, 2016-12-03 at 12:23 +1000, Noel Butler wrote:
> > > > On 03/12/2016 12:08, Jeremiah C. Foster wrote:
> > > > 
> > > > > On Fri, 2016-12-02 at 10:48 +0200, Aki Tuomi wrote: 
> > > > > On 02.12.2016 10:45, Jonas Wielicki wrote: On Freitag, 2.
> > > > > Dezember
> > > > > 2016 09:00:58 CET Aki Tuomi wrote: 
> 
> <snip>
> 
> > > > > Important vulnerability in Dovecot (CVE-2016-8562) 
> > > > > Are you sure about the CVE number? According to Debian [1 [1]]
> > > > > and
> > > > > mitre [2 [2]], it's 
> > > > > for SIEMENS something, not Dovecot.
> > > > > 
> > > > > best regards,
> > > > > Jonas Wielicki
> > > > > 
> > > > > [1]: 
> > > > > [2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-85
> > > > > 6
> > > > > 2
> > > > 
> > > > Ups, sent wrong number, correct is CVE-2016-8652. 
> > > > That is the same number, no? 
> > > > 
> > > > No, read it again. the wrong and pasted copie are 8 5 62, his
> > > > revised
> > > > is
> > > > 8 6 52 
> > > 
> > > Ah, thank you. So I guess the CVE is then here: https://cve.mitre.o
> > > rg/c
> > > gi-bin/cvename.cgi?name=CVE-2016-8652 but this doesn't provide a
> > > whole
> > > lot more information yet.
> > > 
> > > Cheers,
> > > 
> > > Jeremiah
> > 
> > Hi!
> > 
> > What piece of information are you missing?
> 
> Well the CVE web page says in the description: '** RESERVED ** This
> candidate has been reserved by an organization or individual that will
> use it when announcing a new security problem. When the candidate has
> been publicized, the details for this candidate will be provided."
> 

Yes, it can take some time for that to update, what with this being unembargoed on Friday in first place.

> Looking at this https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=84660
> 5 in Debian's bug tracker it appears there is not yet a fix. 
> 

Interesting, there is a fix. Debian has probably not yet updated their page, for similar reasons as above.

> I guess ideally I'm looking for a way to determine if I am affected,
> and if I am affected to mitigate or patch the problem. 
> 
> In this thread there was a discussion about checking via the doveconf
> tool; doveconf -n | grep auth_policy_ | wc -l. Is this the best
> approach?
> 
> Then I imagine I need to check "the critical values
> auth_policy_server_url and auth_policy_hash_nonce" to see if those are
> set. If they are set what does one do? I guess that question is better
> asked once I've determined that I'm affected.
> 

If they are set, either apply the mentioned patch, upgrade to 2.2.27, or ensure their value is empty or they are commented out. Otherwise you are at risk.

Aki

> Thanks,
> 
> Jeremiah
> 
> 
> > 
> > Aki


More information about the dovecot mailing list