Debian Bug report logs -
#989375
courier: CVE-2021-38084
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, debbtsreports@htl-leonding.ac.at, Markus Wanner <markus@bluegap.ch>
:
Bug#989375
; Package courier-pop
.
(Wed, 02 Jun 2021 07:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Sysadmin HTL Leonding <debbtsreports@htl-leonding.ac.at>
:
New Bug report received and forwarded. Copy sent to debbtsreports@htl-leonding.ac.at, Markus Wanner <markus@bluegap.ch>
.
(Wed, 02 Jun 2021 07:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: courier-pop
Severity: important
Dear Maintainer,
Uni Münster did a vulnerability scan on the Internet and reported a Debian server running
courier-pop to be vulnerable to the equivalent of CVE-2011-0411. The system information
is from another system, but the issue exists in the upstream source, so it doesn't matter.
The suggested fixes from
www.postfix.org/CVE-2011-0411.html
have never been implemented in courier-pop (according to the researchers only in the IMAP
implementation).
There has been a very old bug report for Ubuntu (Debian security team asked me to open a ticket
in Debian BTS for this):
https://bugs.launchpad.net/ubuntu/+source/courier/+bug/1194892
In the meanwhile I got the information from a courier developer that while courier-pop
is vulnerable to the same issue as the other programs (where fixes have been implemented)
according to him there has never been an practically exploit given the limitations of the
POP3 protocol. The only possibility for an attacker would be to cause the server to send back
errors or failures to the login request and as the attacker is already MITM he/she could do
that anyway.
As a measure of defense in depth and to prevent Internet scans to cause "noise", it might
be still a good idea to implement the suggested fixes in the POP3 implementation too.
Or someone could declare STARTTLS as anyway broken (then it should be disabled in config
and documented there) and users should use the TLS-only ports as researchers recommended
as workaround.
-- System Information:
Debian Release: 10.9
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-16-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages courier-pop depends on:
pn courier-authlib <none>
pn courier-base <none>
ii debconf [debconf-2.0] 1.5.71
pn default-mta | mail-transport-agent <none>
ii libc6 2.28-10
pn libcourier-unicode4 <none>
ii libidn11 1.33-2.2
ii sysvinit-utils 2.93-8
courier-pop recommends no packages.
Versions of packages courier-pop suggests:
pn courier-doc <none>
pn mail-reader <none>
Added tag(s) upstream and security.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Wed, 02 Jun 2021 12:27:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Markus Wanner <markus@bluegap.ch>
:
Bug#989375
; Package courier-pop
.
(Wed, 04 Aug 2021 18:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Markus Wanner <markus@bluegap.ch>
.
(Wed, 04 Aug 2021 18:09:03 GMT) (full text, mbox, link).
Message #12 received at 989375@bugs.debian.org (full text, mbox, reply):
Control: reassign -1 src:courier 1.0.16-3
Control: retitle -1 courier: CVE-2021-38084
Control: found -1 1.0.6-1
Hi,
On Wed, Jun 02, 2021 at 08:59:02AM +0200, Sysadmin HTL Leonding wrote:
> Package: courier-pop
> Severity: important
>
> Dear Maintainer,
>
> Uni Münster did a vulnerability scan on the Internet and reported a Debian server running
> courier-pop to be vulnerable to the equivalent of CVE-2011-0411. The system information
> is from another system, but the issue exists in the upstream source, so it doesn't matter.
>
> The suggested fixes from
> www.postfix.org/CVE-2011-0411.html
> have never been implemented in courier-pop (according to the researchers only in the IMAP
> implementation).
>
> There has been a very old bug report for Ubuntu (Debian security team asked me to open a ticket
> in Debian BTS for this):
> https://bugs.launchpad.net/ubuntu/+source/courier/+bug/1194892
>
> In the meanwhile I got the information from a courier developer that while courier-pop
> is vulnerable to the same issue as the other programs (where fixes have been implemented)
> according to him there has never been an practically exploit given the limitations of the
> POP3 protocol. The only possibility for an attacker would be to cause the server to send back
> errors or failures to the login request and as the attacker is already MITM he/she could do
> that anyway.
>
> As a measure of defense in depth and to prevent Internet scans to cause "noise", it might
> be still a good idea to implement the suggested fixes in the POP3 implementation too.
>
> Or someone could declare STARTTLS as anyway broken (then it should be disabled in config
> and documented there) and users should use the TLS-only ports as researchers recommended
> as workaround.
This has now a own CVE, CVE-2021-38084. Fixed upstream in 1.1.5
according to
https://sourceforge.net/p/courier/mailman/message/37329216/ .
Regards,
Salvatore
Bug reassigned from package 'courier-pop' to 'src:courier'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 989375-submit@bugs.debian.org
.
(Wed, 04 Aug 2021 18:09:03 GMT) (full text, mbox, link).
Marked as found in versions courier/1.0.16-3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 989375-submit@bugs.debian.org
.
(Wed, 04 Aug 2021 18:09:03 GMT) (full text, mbox, link).
Changed Bug title to 'courier: CVE-2021-38084' from 'courier-pop: CVE-2011-0411 equivalent vulnerability - fix not implemented'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 989375-submit@bugs.debian.org
.
(Wed, 04 Aug 2021 18:09:03 GMT) (full text, mbox, link).
Marked as found in versions courier/1.0.6-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 989375-submit@bugs.debian.org
.
(Wed, 04 Aug 2021 18:09:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Aug 5 16:17:57 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.