2014-10-15 13:39:18 |
Benjamin Greiner |
bug |
|
|
added bug |
2014-10-15 20:19:55 |
Benjamin Greiner |
cve linked |
|
2014-3566 |
|
2014-10-15 20:20:40 |
Benjamin Greiner |
information type |
Private Security |
Public |
|
2014-10-15 20:28:32 |
Benjamin Greiner |
attachment added |
|
disable SSLv3 in dovecot https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/1381537/+attachment/4237577/+files/dovecot-sslv3-disable.diff |
|
2014-10-15 20:31:38 |
Benjamin Greiner |
tags |
|
precise |
|
2014-10-16 00:22:40 |
Ubuntu Foundations Team Bug Bot |
tags |
precise |
patch precise |
|
2014-10-16 00:22:52 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Review Team |
2014-10-16 04:02:23 |
Launchpad Janitor |
dovecot (Ubuntu): status |
New |
Confirmed |
|
2014-10-16 10:41:41 |
Adrián Santos Marrero |
bug |
|
|
added subscriber Adrián Santos Marrero |
2014-10-16 11:49:04 |
Philipp |
bug |
|
|
added subscriber Philipp |
2014-10-16 14:43:31 |
Robie Basak |
information type |
Public |
Public Security |
|
2014-10-16 14:43:37 |
Robie Basak |
bug |
|
|
added subscriber Robie Basak |
2014-10-16 17:12:01 |
Christopher Gurnee |
bug |
|
|
added subscriber Christopher Gurnee |
2014-10-20 15:27:37 |
Roger Cornelius |
bug |
|
|
added subscriber Roger Cornelius |
2014-10-21 13:39:11 |
Robie Basak |
tags |
patch precise |
patch poodle precise |
|
2014-10-22 08:21:27 |
Mario Knippfeld |
bug |
|
|
added subscriber Mario Knippfeld |
2014-10-22 08:35:26 |
Marius Rieder |
attachment added |
|
Backport of 406a1d52390b https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/1381537/+attachment/4241680/+files/ssl_protocols.patch |
|
2014-10-24 13:30:47 |
Marc Deslauriers |
dovecot (Ubuntu): assignee |
|
Marc Deslauriers (mdeslaur) |
|
2014-10-24 19:55:24 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Precise |
|
2014-10-24 19:55:24 |
Marc Deslauriers |
bug task added |
|
dovecot (Ubuntu Precise) |
|
2014-10-24 19:55:24 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Utopic |
|
2014-10-24 19:55:24 |
Marc Deslauriers |
bug task added |
|
dovecot (Ubuntu Utopic) |
|
2014-10-24 19:55:24 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Vivid |
|
2014-10-24 19:55:24 |
Marc Deslauriers |
bug task added |
|
dovecot (Ubuntu Vivid) |
|
2014-10-24 19:55:24 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Lucid |
|
2014-10-24 19:55:24 |
Marc Deslauriers |
bug task added |
|
dovecot (Ubuntu Lucid) |
|
2014-10-24 19:55:24 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Trusty |
|
2014-10-24 19:55:24 |
Marc Deslauriers |
bug task added |
|
dovecot (Ubuntu Trusty) |
|
2014-10-24 19:55:33 |
Marc Deslauriers |
dovecot (Ubuntu Vivid): status |
Confirmed |
Fix Released |
|
2014-10-24 19:55:36 |
Marc Deslauriers |
dovecot (Ubuntu Utopic): status |
New |
Fix Released |
|
2014-10-24 19:55:40 |
Marc Deslauriers |
dovecot (Ubuntu Trusty): status |
New |
Fix Released |
|
2014-10-24 19:55:42 |
Marc Deslauriers |
dovecot (Ubuntu Precise): status |
New |
Confirmed |
|
2014-10-24 19:55:45 |
Marc Deslauriers |
dovecot (Ubuntu Lucid): status |
New |
Confirmed |
|
2014-10-24 19:55:48 |
Marc Deslauriers |
dovecot (Ubuntu Precise): assignee |
|
Marc Deslauriers (mdeslaur) |
|
2014-10-25 12:26:01 |
Serge van Namen |
attachment added |
|
untested https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/1381537/+attachment/4244576/+files/dovcot12-sslv3-disable.diff |
|
2014-10-25 12:33:10 |
Serge van Namen |
attachment removed |
untested https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/1381537/+attachment/4244576/+files/dovcot12-sslv3-disable.diff |
|
|
2014-10-25 12:36:06 |
Serge van Namen |
attachment added |
|
dovecot12-sslv3-disable.diff https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/1381537/+attachment/4244579/+files/dovecot12-sslv3-disable.diff |
|
2014-10-25 12:44:39 |
Serge van Namen |
attachment removed |
dovecot12-sslv3-disable.diff https://bugs.launchpad.net/ubuntu/precise/+source/dovecot/+bug/1381537/+attachment/4244579/+files/dovecot12-sslv3-disable.diff |
|
|
2014-10-25 13:06:38 |
Serge van Namen |
attachment added |
|
dovecot12-sslv3-disable.diff https://bugs.launchpad.net/ubuntu/precise/+source/dovecot/+bug/1381537/+attachment/4244587/+files/dovecot12-sslv3-disable.diff |
|
2014-10-25 23:20:08 |
Christopher Gurnee |
information type |
Public Security |
Private Security |
|
2014-10-25 23:21:31 |
Christopher Gurnee |
information type |
Private Security |
Public Security |
|
2014-10-27 16:19:28 |
MaDDoG |
bug |
|
|
added subscriber MaDDoG |
2014-10-27 20:42:28 |
Marc Deslauriers |
description |
The current version of dovecot in Ubuntu 12.04 LTS, Precise Pangolin is 2.0.19
This version is too old to switch off SSLv3 which has been designated insecure as of the recent "poodle" discovery [1].
In dovecot versions 2.1+ the protocol can be switched off, but for older versions the source code would need to be patched [2,3]
I asked the Ubuntu team to either backport a patch to 2.0.19, or package a newer version of dovecot for precise.
[1] https://www.openssl.org/~bodo/ssl-poodle.pdf
[2] http://askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566
[3] http://www.mail-archive.com/dovecot@dovecot.org/msg59945.html
source package in precise security: dovecot 1:2.0.19-0ubuntu2.1 |
SRU Request:
[Impact]
Dovecot in Precise does not contain the ssl_protocols configuration option that allows disabling SSLv3. Since there are now known weaknesses in SSLv3, it would be preferable to have an option to disable it like on later releases.
[Test Case]
1- Configure dovecot
2- Connect with SSLv3 only
3- add "ssl_protocols = !SSLv3" to dovecot configuration ile
4- Connect with SSLv3 only
5- Connect with TLS to make sure it still works
Alternatively, the security team QRT script has been modified to test for this. It can be used.
[Regression Potential]
This touches the config file parsing code, and the SSL code. Any regression could result in the configuration file not being parsed correctly, or for some unknown issue with SSL negotiation.
Original description:
The current version of dovecot in Ubuntu 12.04 LTS, Precise Pangolin is 2.0.19
This version is too old to switch off SSLv3 which has been designated insecure as of the recent "poodle" discovery [1].
In dovecot versions 2.1+ the protocol can be switched off, but for older versions the source code would need to be patched [2,3]
I asked the Ubuntu team to either backport a patch to 2.0.19, or package a newer version of dovecot for precise.
[1] https://www.openssl.org/~bodo/ssl-poodle.pdf
[2] http://askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566
[3] http://www.mail-archive.com/dovecot@dovecot.org/msg59945.html
source package in precise security: dovecot 1:2.0.19-0ubuntu2.1 |
|
2014-10-27 20:44:00 |
Marc Deslauriers |
description |
SRU Request:
[Impact]
Dovecot in Precise does not contain the ssl_protocols configuration option that allows disabling SSLv3. Since there are now known weaknesses in SSLv3, it would be preferable to have an option to disable it like on later releases.
[Test Case]
1- Configure dovecot
2- Connect with SSLv3 only
3- add "ssl_protocols = !SSLv3" to dovecot configuration ile
4- Connect with SSLv3 only
5- Connect with TLS to make sure it still works
Alternatively, the security team QRT script has been modified to test for this. It can be used.
[Regression Potential]
This touches the config file parsing code, and the SSL code. Any regression could result in the configuration file not being parsed correctly, or for some unknown issue with SSL negotiation.
Original description:
The current version of dovecot in Ubuntu 12.04 LTS, Precise Pangolin is 2.0.19
This version is too old to switch off SSLv3 which has been designated insecure as of the recent "poodle" discovery [1].
In dovecot versions 2.1+ the protocol can be switched off, but for older versions the source code would need to be patched [2,3]
I asked the Ubuntu team to either backport a patch to 2.0.19, or package a newer version of dovecot for precise.
[1] https://www.openssl.org/~bodo/ssl-poodle.pdf
[2] http://askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566
[3] http://www.mail-archive.com/dovecot@dovecot.org/msg59945.html
source package in precise security: dovecot 1:2.0.19-0ubuntu2.1 |
SRU Request:
[Impact]
Dovecot in Precise does not contain the ssl_protocols configuration option that allows disabling SSLv3. Since there are now known weaknesses in SSLv3, it would be preferable to have an option to disable it like on later releases.
It may not be appropriate to default to having SSLv3 disabled yet. As such, this SRU only adds the configuration option, but doesn't enable it.
[Test Case]
1- Configure dovecot
2- Connect with SSLv3 only
3- add "ssl_protocols = !SSLv3" to dovecot configuration file
4- Connect with SSLv3 only
5- Connect with TLS to make sure it still works
Alternatively, the security team QRT script has been modified to test for this. It can be used.
[Regression Potential]
This touches the config file parsing code, and the SSL code. Any regression could result in the configuration file not being parsed correctly, or for some unknown issue with SSL negotiation.
Original description:
The current version of dovecot in Ubuntu 12.04 LTS, Precise Pangolin is 2.0.19
This version is too old to switch off SSLv3 which has been designated insecure as of the recent "poodle" discovery [1].
In dovecot versions 2.1+ the protocol can be switched off, but for older versions the source code would need to be patched [2,3]
I asked the Ubuntu team to either backport a patch to 2.0.19, or package a newer version of dovecot for precise.
[1] https://www.openssl.org/~bodo/ssl-poodle.pdf
[2] http://askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566
[3] http://www.mail-archive.com/dovecot@dovecot.org/msg59945.html
source package in precise security: dovecot 1:2.0.19-0ubuntu2.1 |
|
2014-10-27 20:44:55 |
Marc Deslauriers |
dovecot (Ubuntu Precise): status |
Confirmed |
In Progress |
|
2014-10-27 20:45:22 |
Marc Deslauriers |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2014-10-28 11:12:46 |
Gaurav Ashtikar |
bug |
|
|
added subscriber Gaurav Ashtikar |
2014-10-28 13:57:53 |
Chris J Arges |
dovecot (Ubuntu Precise): status |
In Progress |
Fix Committed |
|
2014-10-28 13:58:00 |
Chris J Arges |
bug |
|
|
added subscriber SRU Verification |
2014-10-28 13:58:03 |
Chris J Arges |
tags |
patch poodle precise |
patch poodle precise verification-needed |
|
2014-10-28 15:28:37 |
Simon Déziel |
tags |
patch poodle precise verification-needed |
patch poodle precise verification-done |
|
2014-10-28 17:27:43 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/precise-proposed/dovecot |
|
2014-11-04 16:06:44 |
Chris J Arges |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2014-11-04 16:12:12 |
Launchpad Janitor |
dovecot (Ubuntu Precise): status |
Fix Committed |
Fix Released |
|
2015-06-18 01:42:48 |
Rolf Leggewie |
dovecot (Ubuntu Lucid): status |
Confirmed |
Won't Fix |
|