similar to: SSL vulnerability and SSH

On Thu, Mar 10, 2016 at 12:30 PM, Osiris <dovecot at flut.demon.nl> wrote: > On 09-03-16 13:14, djk wrote: >> On 09/03/16 10:44, Florent B wrote: >>> Hi, >>> >>> I don't see any SSL configuration option in Dovecot to disable >>> "Client-initiated secure renegotiation". >>> >>> It is advised to disable it as it can

OpenSSH 9.6 has just been released. It will be available from the mirrors listed at https://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested

OpenSSH 9.6 has just been released. It will be available from the mirrors listed at https://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested

Hi, I'm currently at CentOS 5.8. I'm using openssl version openssl-0.9.8e-22.el5. The following vulnerability was reported by a Nessus security scan: "SSL/ TLS Renegotion Handshakes MiTm Plaintext Data Injection" As per following link, Redhat has introduced openssl-0.9.8m which fixes this specific issue:

On 09/03/16 10:44, Florent B wrote: > Hi, > > I don't see any SSL configuration option in Dovecot to disable > "Client-initiated secure renegotiation". > > It is advised to disable it as it can cause DDoS (CVE-2011-1473). > > Is it possible to have this possibility through an SSL option or other ? > > Thank you. > > Florent ssl_protocols = !SSLv3

Using Asterisk-1.4.17, Zaptel-1.4.8, libpri-1.4.3 Upgraded this morning, now PRI channels are unstable as hell. After about 5 minutes all asterisk commands on the console refuse to respond, attached is the debug log right before and after the "lock-up", IT occurred between 9:18 and 9:20 AM at 9:20 I restarted asterisk. Box is debian w/ asterisk built from scratch. My setup is

hai, As far as i know, no. Unless you are forceing all clients to use SSLv2 only (since that doesn't support renegotiation). Are you sure you want to disable it and not just prevent old clients from using the vulnerable renegotiation methods? If it's the last you'll need to upgrade to 2.8+ to get access to tls_disable_workarounds. you have 2 problems. - One is the vulnerable

Asterisk Project Security Advisory - AST-2014-011 Product Asterisk Summary Asterisk Susceptibility to POODLE Vulnerability Nature of Advisory Unauthorized Data Disclosure Susceptibility Remote Unauthenticated Sessions Severity Medium

Asterisk Project Security Advisory - AST-2014-011 Product Asterisk Summary Asterisk Susceptibility to POODLE Vulnerability Nature of Advisory Unauthorized Data Disclosure Susceptibility Remote Unauthenticated Sessions Severity Medium

On Sat, 2015-08-22 at 08:05 -0700, Alice Wonder wrote: > Thunderbird has a MITM vulnerability with its otherwise rather groovy > auto-configuration feature. > https://librelamp.com/FooBird#security > > has what I think would be the easiest solution while keeping the > ability to auto-configure stuff. As for LibreSSL et al, perhaps you could mention all your concerns on

Hello, On Sat, 2015-08-22 at 08:05 -0700, Alice Wonder wrote: > Thunderbird has a MITM vulnerability with its otherwise rather groovy > auto-configuration feature. > > The problem is that it makes requests via HTTP to retrieve the auto > configuration information. > > This allows a black hat (e.g. the NSA) to modify the results sent to the > client, and the client has

>> Lest anyone think STARTTLS MITM doesn't happen, >> >> https://threatpost.com/eff-calls-out-isps-modifying-starttls-encryption-commands/109325/3/ Right, the attack does happen, but it can be prevented by properly configuring the server and client. >> Not only for security, I prefer port 993/995 as it's just plain >> simpler to initiate SSL from the get-go

Thunderbird has a MITM vulnerability with its otherwise rather groovy auto-configuration feature. The problem is that it makes requests via HTTP to retrieve the auto configuration information. This allows a black hat (e.g. the NSA) to modify the results sent to the client, and the client has no way to verify the results have not been tampered with. This could even allow the black hat to act

On 08/23/2015 07:25 AM, Always Learning wrote: > > On Sat, 2015-08-22 at 08:05 -0700, Alice Wonder wrote: > >> Thunderbird has a MITM vulnerability with its otherwise rather groovy >> auto-configuration feature. > >> https://librelamp.com/FooBird#security >> >> has what I think would be the easiest solution while keeping the >> ability to

Hi all, i read about the TLS-RENEGOTIATION vulnerability: http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html http://www.sslshopper.com/article-ssl-and-tls-renegotiation-vulnerability-discovered.html www.phonefactor.com/sslgapdocs/Renegotiating_TLS.pdf Does the Asterisk 1.6/1.8 SIP/TLS implementation suffer from the TLS Renegotiation vulnerability or the

The full SSH_MSG_CHANNEL_DATA packet looks like this: uint32 packet length byte SSH_MSG_CHANNEL_DATA uint32 recipient channel uint32 nr data bytes byte[] data OpenSSH_6.1p1 considers that the 'maximum packet size' from SSH_MSG_CHANNEL_OPEN or SSH_MSG_CHANNEL_OPEN_CONFIRMATION impacts only the 'byte[] data' field and not the entire message (headers included).

Hi, according to RFC 4253 https://www.rfc-editor.org/rfc/rfc4253#section-7.1 for the selection of algorithms (ciphers, KEX, MAC etc.), the leftmost matching client algorithm is picked. While this is fine in most cases, there are cases where it is not desirable, for example: 1) for compatibility with a single old client you enable an old cipher, say aes128-cbc, server side. A modern client

Hello. I've just tested my system that runs dovecot 2.3.4.1 on debian buster with testssl.sh (https://testssl.sh/) and is says: Secure Renegotiation (CVE-2009-3555) not vulnerable (OK) Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), potential DoS threat Is this a configuration or a compilation issue and how to solve it? -- sergio.

Hello, I don't know who will read this message, but I found this thread: https://www.mail-archive.com/search?l=dovecot at dovecot.org&q=subject:%22Dovecot+2.3.0+TLS%22&o=newest And I'm expected the same issue, I will try to explain to you (english is not my native language, sorry) Since Buster update, so Dovecot update too, I'm not able to connect to my mail server from my

Robert Wolf wrote: >> else (NOT LOCALHOST) and you can see it says LOGINDISABLED unless you >> have enabled something like cram-md5. > > Hi, > > exactly, this is the reason, why plain-text is still needed. You don't need > encryption for authentication, if you have secure authentication. Without > knowing original password, the MITM cannot generate correct hash