search for: auth_policy_

We are sorry to report that we have a bug in dovecot, which merits a CVE. See details below. If you haven't configured any auth_policy_* settings you are ok. This is fixed with https://git.dovecot.net/dovecot/core/commit/c3d3faa4f72a676e183f34be960cff13a5a725ae and https://git.dovecot.net/dovecot/core/commit/99abb1302ae693ccdfe0d57351fd42c67a8612fc Important vulnerability in Dovecot (CVE-2016-8562) CVSS score: 7.4 (CVSS:3.0/AV:N/A...

Am 02.12.2016 um 08:00 schrieb Aki Tuomi: > Workaround is to disable auth-policy component until fix is in place. > This can be done by commenting out all auth_policy_* settings. Hello, could you be more verbose on how to verify if administrators are affected? # doveconf -n | grep auth_policy_ | wc -l 0 but there /are/ default settings: # doveconf -d | grep auth_policy_ auth_policy_hash_mech = sha256 auth_policy_hash_nonce = auth_policy_hash_truncate = 12 au...

On 02.12.2016 10:45, Jonas Wielicki wrote: > On Freitag, 2. Dezember 2016 09:00:58 CET Aki Tuomi wrote: >> We are sorry to report that we have a bug in dovecot, which merits a >> CVE. See details below. If you haven't configured any auth_policy_* >> settings you are ok. This is fixed with >> https://git.dovecot.net/dovecot/core/commit/c3d3faa4f72a676e183f34be960cff13 >> a5a725ae and >> https://git.dovecot.net/dovecot/core/commit/99abb1302ae693ccdfe0d57351fd42c6 >> 7a8612fc >> >> Important vulnerabi...

...Fri, 2016-12-02 at 10:48 +0200, Aki Tuomi wrote: > On 02.12.2016 10:45, Jonas Wielicki wrote: On Freitag, 2. Dezember 2016 09:00:58 CET Aki Tuomi wrote: We are sorry to report that we have a bug in dovecot, which > merits a > CVE. See details below. If you haven't configured any > auth_policy_* > settings you are ok. This is fixed with > https://git.dovecot.net/dovecot/core/commit/c3d3faa4f72a676e183f3 > 4be960cff13 > a5a725ae and > https://git.dovecot.net/dovecot/core/commit/99abb1302ae693ccdfe0d > 57351fd42c6 > 7a8612fc > > Important vulnerability in Dovecot...

...2.12.2016 10:45, Jonas Wielicki wrote: On Freitag, 2. Dezember > > > 2016 09:00:58 CET Aki Tuomi wrote: We are sorry to report that we > > > have a bug in dovecot, which > > > merits a > > > CVE. See details below. If you haven't configured any > > > auth_policy_* > > > settings you are ok. This is fixed with > > > https://git.dovecot.net/dovecot/core/commit/c3d3faa4f72a676e183f3 > > > 4be960cff13 > > > a5a725ae and > > > https://git.dovecot.net/dovecot/core/commit/99abb1302ae693ccdfe0d > > > 57351fd42c6...

On Freitag, 2. Dezember 2016 09:00:58 CET Aki Tuomi wrote: > We are sorry to report that we have a bug in dovecot, which merits a > CVE. See details below. If you haven't configured any auth_policy_* > settings you are ok. This is fixed with > https://git.dovecot.net/dovecot/core/commit/c3d3faa4f72a676e183f34be960cff13 > a5a725ae and > https://git.dovecot.net/dovecot/core/commit/99abb1302ae693ccdfe0d57351fd42c6 > 7a8612fc > > Important vulnerability in Dovecot (CVE-2016-8...

...On 02.12.2016 10:45, Jonas Wielicki wrote: > > On Freitag, 2. Dezember 2016 09:00:58 CET Aki Tuomi wrote: > > > We are sorry to report that we have a bug in dovecot, which > > > merits a > > > CVE. See details below. If you haven't configured any > > > auth_policy_* > > > settings you are ok. This is fixed with > > > https://git.dovecot.net/dovecot/core/commit/c3d3faa4f72a676e183f3 > > > 4be960cff13 > > > a5a725ae and > > > https://git.dovecot.net/dovecot/core/commit/99abb1302ae693ccdfe0d > > > 57351fd42c6...

...mi wrote:? > > On 02.12.2016 10:45, Jonas Wielicki wrote: On Freitag, 2. Dezember > > 2016 09:00:58 CET Aki Tuomi wrote: We are sorry to report that we > > have a bug in dovecot, which > > merits a > > CVE. See details below. If you haven't configured any > > auth_policy_* > > settings you are ok. This is fixed with > > https://git.dovecot.net/dovecot/core/commit/c3d3faa4f72a676e183f3 > > 4be960cff13 > > a5a725ae and > > https://git.dovecot.net/dovecot/core/commit/99abb1302ae693ccdfe0d > > 57351fd42c6 > > 7a8612fc > >...

...g=84660 5 in Debian's bug tracker it appears there is not yet a fix. I guess ideally I'm looking for a way to determine if I am affected, and if I am affected to mitigate or patch the problem. In this thread there was a discussion about checking via the doveconf tool; doveconf -n | grep auth_policy_ | wc -l. Is this the best approach? Then I imagine I need to check "the critical values auth_policy_server_url and auth_policy_hash_nonce" to see if those are set. If they are set what does one do? I guess that question is better asked once I've determined that I'm affected. Tha...

* Aki Tuomi schrieb am 02.12.16 um 08:00 Uhr: Hi Aki, > We are sorry to report that we have a bug in dovecot, which merits a > CVE. See details below. If you haven't configured any auth_policy_* > settings you are ok. This is fixed with > https://git.dovecot.net/dovecot/core/commit/c3d3faa4f72a676e183f34be960cff13a5a725ae > and > https://git.dovecot.net/dovecot/core/commit/99abb1302ae693ccdfe0d57351fd42c67a8612fc > > Important vulnerability in Dovecot (CVE-2016-8562) &g...