dovecot - Jan 2017 - Dovecot source code audit

Mozilla sponsored source code audit for Dovecot. So thanks to them we have our
first public code audit:
https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed#dovecot

Dates: October 2016 - January 2017

dovecot is a POP and IMAP mailserver; it is used in 68% of IMAP server
deployments worldwide. The audit was performed by Cure53.

The team found the following problems:

	? 3 Low

The Cure53 team were extremely impressed with the quality of the dovecot code.
They wrote: "Despite much effort and thoroughly all-encompassing approach,
the Cure53 testers only managed to assert the excellent security-standing of
Dovecot. More specifically, only three minor security issues have been found in
the codebase, thus translating to an exceptionally good outcome for Dovecot, and
a true testament to the fact that keeping security promises is at the core of
the Dovecot development and operations."

Congratulations Timo and all.

Michael

> -----Original Message-----
> From: dovecot [mailto:dovecot-bounces at dovecot.org] On Behalf Of Timo
> Sirainen
> Sent: Friday, January 13, 2017 9:17 AM
> To: Dovecot Mailing List <dovecot at dovecot.org>
> Subject: Dovecot source code audit
> 
> Mozilla sponsored source code audit for Dovecot. So thanks to them we have
> our first public code audit:
> https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed#dovecot
> 
> Dates: October 2016 - January 2017
> 
> dovecot is a POP and IMAP mailserver; it is used in 68% of IMAP server
> deployments worldwide. The audit was performed by Cure53.
> 
> The team found the following problems:
> 
> 	? 3 Low
> 
> The Cure53 team were extremely impressed with the quality of the dovecot
> code. They wrote: "Despite much effort and thoroughly all-encompassing
> approach, the Cure53 testers only managed to assert the excellent
> security-standing of Dovecot. More specifically, only three minor security
> issues have been found in the codebase, thus translating to an
> exceptionally good outcome for Dovecot, and a true testament to the fact
> that keeping security promises is at the core of the Dovecot development
> and operations."

On 2017.01.13. 19:17, Timo Sirainen wrote:
> Mozilla sponsored source code audit for Dovecot. So thanks to them we have
our first public code audit:
https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed#dovecot
>
> Dates: October 2016 - January 2017
>
> dovecot is a POP and IMAP mailserver; it is used in 68% of IMAP server
deployments worldwide. The audit was performed by Cure53.
>
> The team found the following problems:
>
> 	? 3 Low
>
> The Cure53 team were extremely impressed with the quality of the dovecot
code. They wrote: "Despite much effort and thoroughly all-encompassing
approach, the Cure53 testers only managed to assert the excellent
security-standing of Dovecot. More specifically, only three minor security
issues have been found in the codebase, thus translating to an exceptionally
good outcome for Dovecot, and a true testament to the fact that keeping security
promises is at the core of the Dovecot development and operations."
>
Congratulations and thank you for good work!

--
KSB

Great news!  I read the report, and it was enlightening as well.

Congrats, Timo & Dovecot folks!

On Fri, Jan 13, 2017 at 2:05 PM, Michael Fox <news at mefox.org> wrote:
> Congratulations Timo and all.
>
> Michael
>
>
> > -----Original Message-----
> > From: dovecot [mailto:dovecot-bounces at dovecot.org] On Behalf Of
Timo
> > Sirainen
> > Sent: Friday, January 13, 2017 9:17 AM
> > To: Dovecot Mailing List <dovecot at dovecot.org>
> > Subject: Dovecot source code audit
> >
> > Mozilla sponsored source code audit for Dovecot. So thanks to them we
> have
> > our first public code audit:
> > https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed#dovecot
> >
> > Dates: October 2016 - January 2017
> >
> > dovecot is a POP and IMAP mailserver; it is used in 68% of IMAP server
> > deployments worldwide. The audit was performed by Cure53.
> >
> > The team found the following problems:
> >
> >       ? 3 Low
> >
> > The Cure53 team were extremely impressed with the quality of the
dovecot
> > code. They wrote: "Despite much effort and thoroughly
all-encompassing
> > approach, the Cure53 testers only managed to assert the excellent
> > security-standing of Dovecot. More specifically, only three minor
> security
> > issues have been found in the codebase, thus translating to an
> > exceptionally good outcome for Dovecot, and a true testament to the
fact
> > that keeping security promises is at the core of the Dovecot
development
> > and operations."
>


-- 
Larry Rosenman                     http://www.lerctr.org/~ler
Phone: +1 214-642-9640 (c)     E-Mail: larryrtx at gmail.com
US Mail: 17716 Limpia Crk, Round Rock, TX 78664-7281

Congradulations. (Reminds me that is time I got started on the AIX xlc 
port...)

On 13-Jan-17 18:17, Timo Sirainen wrote:
> Mozilla sponsored source code audit for Dovecot. So thanks to them we have
our first public code audit:
https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed#dovecot
>
> Dates: October 2016 - January 2017
>
> dovecot is a POP and IMAP mailserver; it is used in 68% of IMAP server
deployments worldwide. The audit was performed by Cure53.
>
> The team found the following problems:
>
> 	? 3 Low
>
> The Cure53 team were extremely impressed with the quality of the dovecot
code. They wrote: "Despite much effort and thoroughly all-encompassing
approach, the Cure53 testers only managed to assert the excellent
security-standing of Dovecot. More specifically, only three minor security
issues have been found in the codebase, thus translating to an exceptionally
good outcome for Dovecot, and a true testament to the fact that keeping security
promises is at the core of the Dovecot development and operations."
>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 13 Jan 2017, Timo Sirainen wrote:
> Mozilla sponsored source code audit for Dovecot. So thanks to them we have
our first public code audit:
https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed#dovecot
>
> Dates: October 2016 - January 2017
>
> dovecot is a POP and IMAP mailserver; it is used in 68% of IMAP server
deployments worldwide. The audit was performed by Cure53.
>
> The team found the following problems:
>
> 	? 3 Low
Congratulations.

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEVAwUBWHx7z3z1H7kL/d9rAQIunAf+PTs0C03TD5Fa9R82DdZt370eluds0qTL
M2N32QkDrmaTi6VkWg9I8v9YoV2jjg7zSy6lSskfqY8Pu2woKL9CplQaGTwwy7ki
bs1uyjI2ZStBwgUkrhtFO/Tbxm6IqmMRm9NNfBmXnnwd8qFtYDlFPKxY9ah2A/bB
qROhXftt+qM1l0LD1kv846AehZNJkMrrBmbkgWm83IndwpbiJ1BWd4nIv7cELSlA
D5bKlD9y/qUIxUn0A2x4jrUwnfb+Tp99e3kuYcTlj3Tfh8k9e1+3BrPNjGEWL6pd
s/fMXgddkqkXxzjqsl42QRrhs9EmblkUhrao55OFkSr0T+xttOwZ9g==0/Te
-----END PGP SIGNATURE-----

Congratulations.

On 13 January 2017 at 22:47, Timo Sirainen <tss at iki.fi> wrote:
> Mozilla sponsored source code audit for Dovecot. So thanks to them we have
> our first public code audit: https://wiki.mozilla.org/MOSS/
> Secure_Open_Source/Completed#dovecot
>
> Dates: October 2016 - January 2017
>
> dovecot is a POP and IMAP mailserver; it is used in 68% of IMAP server
> deployments worldwide. The audit was performed by Cure53.
>
> The team found the following problems:
>
>         ? 3 Low
>
> The Cure53 team were extremely impressed with the quality of the dovecot
> code. They wrote: "Despite much effort and thoroughly all-encompassing
> approach, the Cure53 testers only managed to assert the excellent
> security-standing of Dovecot. More specifically, only three minor security
> issues have been found in the codebase, thus translating to an
> exceptionally good outcome for Dovecot, and a true testament to the fact
> that keeping security promises is at the core of the Dovecot development
> and operations."
>


-- 
Sincerely,
Prakash P. Autade.

On 13 January 2017 at 20:17, Timo Sirainen <tss at iki.fi> wrote:
> Mozilla sponsored source code audit for Dovecot. So thanks to them we have
> our first public code audit: https://wiki.mozilla.org/MOSS/
> Secure_Open_Source/Completed#dovecot
>
> Dates: October 2016 - January 2017
>
> dovecot is a POP and IMAP mailserver; it is used in 68% of IMAP server
> deployments worldwide. The audit was performed by Cure53.
>
> The team found the following problems:
>
>         ? 3 Low
>
> The Cure53 team were extremely impressed with the quality of the dovecot
> code. They wrote: "Despite much effort and thoroughly all-encompassing
> approach, the Cure53 testers only managed to assert the excellent
> security-standing of Dovecot. More specifically, only three minor security
> issues have been found in the codebase, thus translating to an
> exceptionally good outcome for Dovecot, and a true testament to the fact
> that keeping security promises is at the core of the Dovecot development
> and operations."
>
Congratulations!

".. used in 68% of IMAP server deployments worldwide." -
congratulations to
that too!


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."

Congratulations.


On Fri, Jan 13, 2017 at 6:17 PM, Timo Sirainen <'tss at iki.fi'>
wrote:
Mozilla sponsored source code audit for Dovecot. So thanks to them we have our
first public code audit:
https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed#dovecot

Dates: October 2016 - January 2017

dovecot is a POP and IMAP mailserver; it is used in 68% of IMAP server
deployments worldwide. The audit was performed by Cure53.

The team found the following problems:

? 3 Low

The Cure53 team were extremely impressed with the quality of the dovecot code.
They wrote: "Despite much effort and thoroughly all-encompassing approach,
the Cure53 testers only managed to assert the excellent security-standing of
Dovecot. More specifically, only three minor security issues have been found in
the codebase, thus translating to an exceptionally good outcome for Dovecot, and
a true testament to the fact that keeping security promises is at the core of
the Dovecot development and operations."

"used in 68% of IMAP server deployments worldwide"...

... this means that hackers have a new target to prove themselves, and to prove
Cure53 is less than we think they are. We ought to brace for the storm ahead.


On Fri, Jan 13, 2017 at 6:17 PM, Timo Sirainen <'tss at iki.fi'>
wrote:
Mozilla sponsored source code audit for Dovecot. So thanks to them we have our
first public code audit:
https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed#dovecot

Dates: October 2016 - January 2017

dovecot is a POP and IMAP mailserver; it is used in 68% of IMAP server
deployments worldwide. The audit was performed by Cure53.

The team found the following problems:

? 3 Low

The Cure53 team were extremely impressed with the quality of the dovecot code.
They wrote: "Despite much effort and thoroughly all-encompassing approach,
the Cure53 testers only managed to assert the excellent security-standing of
Dovecot. More specifically, only three minor security issues have been found in
the codebase, thus translating to an exceptionally good outcome for Dovecot, and
a true testament to the fact that keeping security promises is at the core of
the Dovecot development and operations."