Package: courier-pop Severity: important Dear Maintainer,
Uni Münster did a vulnerability scan on the Internet and reported a Debian server running courier-pop to be vulnerable to the equivalent of CVE-2011-0411. The system information is from another system, but the issue exists in the upstream source, so it doesn't matter. The suggested fixes from www.postfix.org/CVE-2011-0411.html have never been implemented in courier-pop (according to the researchers only in the IMAP implementation). There has been a very old bug report for Ubuntu (Debian security team asked me to open a ticket in Debian BTS for this): https://bugs.launchpad.net/ubuntu/+source/courier/+bug/1194892 In the meanwhile I got the information from a courier developer that while courier-pop is vulnerable to the same issue as the other programs (where fixes have been implemented) according to him there has never been an practically exploit given the limitations of the POP3 protocol. The only possibility for an attacker would be to cause the server to send back errors or failures to the login request and as the attacker is already MITM he/she could do that anyway. As a measure of defense in depth and to prevent Internet scans to cause "noise", it might be still a good idea to implement the suggested fixes in the POP3 implementation too. Or someone could declare STARTTLS as anyway broken (then it should be disabled in config and documented there) and users should use the TLS-only ports as researchers recommended as workaround. -- System Information: Debian Release: 10.9 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-16-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages courier-pop depends on: pn courier-authlib <none> pn courier-base <none> ii debconf [debconf-2.0] 1.5.71 pn default-mta | mail-transport-agent <none> ii libc6 2.28-10 pn libcourier-unicode4 <none> ii libidn11 1.33-2.2 ii sysvinit-utils 2.93-8 courier-pop recommends no packages. Versions of packages courier-pop suggests: pn courier-doc <none> pn mail-reader <none>
