Dovecot version in precise too old to switch off SSLv3 protocol for "poodle" fix
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | dovecot (Ubuntu) |
Undecided
|
Marc Deslauriers | ||
| | Lucid |
Undecided
|
Unassigned | ||
| | Precise |
Undecided
|
Marc Deslauriers | ||
| | Trusty |
Undecided
|
Unassigned | ||
| | Utopic |
Undecided
|
Unassigned | ||
| | Vivid |
Undecided
|
Marc Deslauriers | ||
Bug Description
SRU Request:
[Impact]
Dovecot in Precise does not contain the ssl_protocols configuration option that allows disabling SSLv3. Since there are now known weaknesses in SSLv3, it would be preferable to have an option to disable it like on later releases.
It may not be appropriate to default to having SSLv3 disabled yet. As such, this SRU only adds the configuration option, but doesn't enable it.
[Test Case]
1- Configure dovecot
2- Connect with SSLv3 only
3- add "ssl_protocols = !SSLv3" to dovecot configuration file
4- Connect with SSLv3 only
5- Connect with TLS to make sure it still works
Alternatively, the security team QRT script has been modified to test for this. It can be used.
[Regression Potential]
This touches the config file parsing code, and the SSL code. Any regression could result in the configuration file not being parsed correctly, or for some unknown issue with SSL negotiation.
Original description:
The current version of dovecot in Ubuntu 12.04 LTS, Precise Pangolin is 2.0.19
This version is too old to switch off SSLv3 which has been designated insecure as of the recent "poodle" discovery [1].
In dovecot versions 2.1+ the protocol can be switched off, but for older versions the source code would need to be patched [2,3]
I asked the Ubuntu team to either backport a patch to 2.0.19, or package a newer version of dovecot for precise.
[1] https:/
[2] http://
[3] http://<email address hidden>
source package in precise security: dovecot 1:2.0.19-0ubuntu2.1
Related branches
CVE References
| information type: | Private Security → Public |
The attachment "disable SSLv3 in dovecot" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.
[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]
| tags: | added: patch |
| Launchpad Janitor (janitor) wrote : | #3 |
Status changed to 'Confirmed' because the bug affects multiple users.
| Changed in dovecot (Ubuntu): | |
| status: | New → Confirmed |
| Robie Basak (racb) wrote : | #4 |
I had a quick discussion with mdeslaur (security team) on #ubuntu-hardened.
He's not prepared to push changes which just turn SSLv3 off, since that would break clients. But he is prepared to sponsor security patches that add it as an option, so that users can opt to turn SSLv3 off after they've got the security update.
| information type: | Public → Public Security |
| Roger Cornelius (rac-3) wrote : | #5 |
According to https:/
| Simon Déziel (sdeziel) wrote : Re: [Bug 1381537] Re: Dovecot version in precise too old to switch off SSLv3 protocol for "poodle" fix | #7 |
On 10/20/2014 11:18 AM, Roger Cornelius wrote:
> According to https:/
> protect-
> be switched off in 2.0.19 by adding "!SSLv3" to the ssl_cipher_list
> config option. Is that not correct?
Doing so will drop support for TLS 1.0 and 1.1 too (leaving 1.2 only).
This is explained by the fact that all the ciphers defined by SSLv3 are
also shared by TLS 1.0 and 1.1 so removing them only leaves those added
by TLS 1.2.
$ openssl ciphers -v 'ALL:!LOW:
77
$ openssl ciphers -v 'ALL:!LOW:
28
This is generally not advisable because many email clients do not
support TLS 1.2. The article should be fixed.
Simon
| Benjamin Greiner (greiner) wrote : | #6 |
It is not correct. Adding !SSLv3 to the cipher list removes the set of *ciphers* specified in the SSLv3 cipher suite [1], which would also disable ciphers listed in other suites. It has no effect on the *protocols* used.
| Roger Cornelius (rac-3) wrote : | #8 |
Thanks for the clarification.
| tags: | added: poodle |
| Marius Rieder (marius-rieder-m) wrote : | #9 |
So basicaly the following commit has to be backported to the 2.0 Version. http://
I created a patch for 2.0.19 and tried it on our staging systems. This worked quite well for ous.
| Changed in dovecot (Ubuntu): | |
| assignee: | nobody → Marc Deslauriers (mdeslaur) |
| Changed in dovecot (Ubuntu Vivid): | |
| status: | Confirmed → Fix Released |
| Changed in dovecot (Ubuntu Utopic): | |
| status: | New → Fix Released |
| Changed in dovecot (Ubuntu Trusty): | |
| status: | New → Fix Released |
| Changed in dovecot (Ubuntu Precise): | |
| status: | New → Confirmed |
| Changed in dovecot (Ubuntu Lucid): | |
| status: | New → Confirmed |
| Changed in dovecot (Ubuntu Precise): | |
| assignee: | nobody → Marc Deslauriers (mdeslaur) |
| Serge van Namen (pcktdmp) wrote : | #12 |
Made a quick patch for this package, tested it in following way:
* Install package
* Start dovecot
* Connect with: openssl s_client -connect -ssl3 localhost:995
Getting error that I can't connect on SSLv3, assumed this resolved the issue.
| information type: | Public Security → Private Security |
| information type: | Private Security → Public Security |
| description: | updated |
| description: | updated |
| Changed in dovecot (Ubuntu Precise): | |
| status: | Confirmed → In Progress |
Hello Benjamin, or anyone else affected,
Accepted dovecot into precise-proposed. The package will build now and be available at http://
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-
Further information regarding the verification process can be found at https:/
| Changed in dovecot (Ubuntu Precise): | |
| status: | In Progress → Fix Committed |
| tags: | added: verification-needed |
| tags: |
added: verification-done removed: verification-needed |
| Rolf Leggewie (r0lf) wrote : | #14 |
How will this be dealt with in lucid, please? I guess POODLE isn't really that much of an issue for an IMAPS or POP3S session since there is no Javascript involved or am I mistaken?
| Chris J Arges (arges) wrote : Update Released | #15 |
The verification of the Stable Release Update for dovecot has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.
| Launchpad Janitor (janitor) wrote : | #16 |
This bug was fixed in the package dovecot - 1:2.0.19-0ubuntu2.2
---------------
dovecot (1:2.0.
* Backport support for the ssl_protocols setting to easily allow
disabling SSLv3. (LP: #1381537)
- debian/
src/
src/
-- Marc Deslauriers <email address hidden> Mon, 27 Oct 2014 12:46:22 -0400
| Changed in dovecot (Ubuntu Precise): | |
| status: | Fix Committed → Fix Released |
| Marius Gedminas (mgedmin) wrote : | #17 |
Dovecot uses Unix password authentication by default. If those passwords leak, they can be used to ssh in and perhaps even for sudo.
| Rolf Leggewie (r0lf) wrote : | #18 |
lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".
| Changed in dovecot (Ubuntu Lucid): | |
| status: | Confirmed → Won't Fix |
| Mike Threesi (mike366) wrote : | #19 |
OK, I hate to be so stupid, but I need some help and can't seem to locate anyone knowledgeable so far:
In 10-ssl.conf I added: ssl_protocols = !SSLv2 !SSLv3 (to no avail so i think I am not patched)
Would appreciate some helpful comments / guidance please...
I did a fresh install of 12.04.5 on another machine, thinking that there had been a patch for dovecot, but I am still getting this error, so I assume it is not patched in 12.04.5 ? Or how do I get the patch installed?
This accepts the login: `openssl s_client -connect localhost:993 -ssl3`
This gives an error: `openssl s_client -connect localhost:465 -ssl3` "13985281637750
This too gives an error: `openssl s_client -connect localhost:25 -ssl3` "14020581650192
So if I go to a poodle website and check, they return OK for Poodle EXCEPT for 993 port, do you know what I am doing wrong?
BTW, these are the exact results from my long running 12.04.4 ubuntu, and we need to stay on 12.04 for now.
Throw me a bone, please - give me some detailed instructions of how I can fix this, thank you. My goal is to have port 25, 587, 465, 993, etc all !SSLv3 compliant.
Thank you
| Seth Arnold (seth-arnold) wrote : | #20 |
Port 25 is probably handled by postfix, exim, or sendmail, not dovecot. In any event, you can't simply connect directly to SMTP with TLS; SMTP requires using the STARTTLS command to upgrade a connection to TLS.
I suspect you'll find similar issues with your other ports; I don't know the details of those off-hand as well as SMTP, so I'll just ask how confident you are that your test case accurately reflects the protocols you're trying to test.
Thanks
Here is the patch from the mailing list([3] in original post)