> On December 3, 2016 at 9:11 PM "Jeremiah C. Foster" <jeremiah at jeremiahfoster.com> wrote: > > > On Sat, 2016-12-03 at 12:23 +1000, Noel Butler wrote: > > On 03/12/2016 12:08, Jeremiah C. Foster wrote: > > > > > On Fri, 2016-12-02 at 10:48 +0200, Aki Tuomi wrote: > > > On 02.12.2016 10:45, Jonas Wielicki wrote: On Freitag, 2. Dezember > > > 2016 09:00:58 CET Aki Tuomi wrote: We are sorry to report that we > > > have a bug in dovecot, which > > > merits a > > > CVE. See details below. If you haven't configured any > > > auth_policy_* > > > settings you are ok. This is fixed with > > > https://git.dovecot.net/dovecot/core/commit/c3d3faa4f72a676e183f3 > > > 4be960cff13 > > > a5a725ae and > > > https://git.dovecot.net/dovecot/core/commit/99abb1302ae693ccdfe0d > > > 57351fd42c6 > > > 7a8612fc > > > > > > Important vulnerability in Dovecot (CVE-2016-8562) > > > Are you sure about the CVE number? According to Debian [1 [1]] and > > > mitre [2 [2]], it's > > > for SIEMENS something, not Dovecot. > > > > > > best regards, > > > Jonas Wielicki > > > > > > [1]: https://security-tracker.debian.org/tracker/CVE-2016-8562 > > > [2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-856 > > > 2 > > > > Ups, sent wrong number, correct is CVE-2016-8652. > > That is the same number, no? > > > > No, read it again. the wrong and pasted copie are 8 5 62, his revised > > is > > 8 6 52 > > Ah, thank you. So I guess the CVE is then here: https://cve.mitre.org/c > gi-bin/cvename.cgi?name=CVE-2016-8652 but this doesn't provide a whole > lot more information yet. > > Cheers, > > JeremiahHi! What piece of information are you missing? Aki
On Sat, 2016-12-03 at 21:25 +0200, Aki Tuomi wrote:> > On December 3, 2016 at 9:11 PM "Jeremiah C. Foster" <jeremiah at jerem > > iahfoster.com> wrote: > > > > On Sat, 2016-12-03 at 12:23 +1000, Noel Butler wrote: > > > On 03/12/2016 12:08, Jeremiah C. Foster wrote: > > > > > > > On Fri, 2016-12-02 at 10:48 +0200, Aki Tuomi wrote:? > > > > On 02.12.2016 10:45, Jonas Wielicki wrote: On Freitag, 2. > > > > Dezember > > > > 2016 09:00:58 CET Aki Tuomi wrote:<snip>> > > > Important vulnerability in Dovecot (CVE-2016-8562)? > > > > Are you sure about the CVE number? According to Debian [1 [1]] > > > > and > > > > mitre [2 [2]], it's? > > > > for SIEMENS something, not Dovecot. > > > > > > > > best regards, > > > > Jonas Wielicki > > > > > > > > [1]: > > > > [2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-85 > > > > 6 > > > > 2 > > > > > > Ups, sent wrong number, correct is CVE-2016-8652.? > > > That is the same number, no?? > > > > > > No, read it again. the wrong and pasted copie are 8 5 62, his > > > revised > > > is > > > 8 6 52? > > > > Ah, thank you. So I guess the CVE is then here: https://cve.mitre.o > > rg/c > > gi-bin/cvename.cgi?name=CVE-2016-8652 but this doesn't provide a > > whole > > lot more information yet. > > > > Cheers, > > > > Jeremiah > > Hi! > > What piece of information are you missing?Well the CVE web page says in the description: '** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." Looking at this https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=84660 5 in Debian's bug tracker it appears there is not yet a fix. I guess ideally I'm looking for a way to determine if I am affected, and if I am affected to mitigate or patch the problem. In this thread there was a discussion about checking via the doveconf tool; doveconf -n | grep auth_policy_ | wc -l. Is this the best approach? Then I imagine I need to check "the critical values auth_policy_server_url and auth_policy_hash_nonce" to see if those are set. If they are set what does one do? I guess that question is better asked once I've determined that I'm affected. Thanks, Jeremiah> > Aki
> On December 3, 2016 at 11:00 PM "Jeremiah C. Foster" <jeremiah at jeremiahfoster.com> wrote: > > > On Sat, 2016-12-03 at 21:25 +0200, Aki Tuomi wrote: > > > On December 3, 2016 at 9:11 PM "Jeremiah C. Foster" <jeremiah at jerem > > > iahfoster.com> wrote: > > > > > > On Sat, 2016-12-03 at 12:23 +1000, Noel Butler wrote: > > > > On 03/12/2016 12:08, Jeremiah C. Foster wrote: > > > > > > > > > On Fri, 2016-12-02 at 10:48 +0200, Aki Tuomi wrote: > > > > > On 02.12.2016 10:45, Jonas Wielicki wrote: On Freitag, 2. > > > > > Dezember > > > > > 2016 09:00:58 CET Aki Tuomi wrote: > > <snip> > > > > > > Important vulnerability in Dovecot (CVE-2016-8562) > > > > > Are you sure about the CVE number? According to Debian [1 [1]] > > > > > and > > > > > mitre [2 [2]], it's > > > > > for SIEMENS something, not Dovecot. > > > > > > > > > > best regards, > > > > > Jonas Wielicki > > > > > > > > > > [1]: > > > > > [2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-85 > > > > > 6 > > > > > 2 > > > > > > > > Ups, sent wrong number, correct is CVE-2016-8652. > > > > That is the same number, no? > > > > > > > > No, read it again. the wrong and pasted copie are 8 5 62, his > > > > revised > > > > is > > > > 8 6 52 > > > > > > Ah, thank you. So I guess the CVE is then here: https://cve.mitre.o > > > rg/c > > > gi-bin/cvename.cgi?name=CVE-2016-8652 but this doesn't provide a > > > whole > > > lot more information yet. > > > > > > Cheers, > > > > > > Jeremiah > > > > Hi! > > > > What piece of information are you missing? > > Well the CVE web page says in the description: '** RESERVED ** This > candidate has been reserved by an organization or individual that will > use it when announcing a new security problem. When the candidate has > been publicized, the details for this candidate will be provided." >Yes, it can take some time for that to update, what with this being unembargoed on Friday in first place.> Looking at this https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=84660 > 5 in Debian's bug tracker it appears there is not yet a fix. >Interesting, there is a fix. Debian has probably not yet updated their page, for similar reasons as above.> I guess ideally I'm looking for a way to determine if I am affected, > and if I am affected to mitigate or patch the problem. > > In this thread there was a discussion about checking via the doveconf > tool; doveconf -n | grep auth_policy_ | wc -l. Is this the best > approach? > > Then I imagine I need to check "the critical values > auth_policy_server_url and auth_policy_hash_nonce" to see if those are > set. If they are set what does one do? I guess that question is better > asked once I've determined that I'm affected. >If they are set, either apply the mentioned patch, upgrade to 2.2.27, or ensure their value is empty or they are commented out. Otherwise you are at risk. Aki> Thanks, > > Jeremiah > > > > > > Aki