On Wed, October 15, 2014 16:30, Henrik Langos wrote: > Hi Thijs, > > On 10/15/14 14:26, Thijs Kinkhorst wrote: >> On Wed, October 15, 2014 14:07, Henrik Langos wrote: >>> There is a simple one line patch available for dovecot 2.0. >>> Maybe a similar way exists for 1.2. >> Do you have a pointer to this patch? >> >> >> Thijs > > Sure.. Sorry, thought I had put them in the initial report: > > Here's the patch: > http://www.dovecot.org/pipermail/dovecot/2014-October/098244.html > > > There is also a statement that pop/imap might be harder/impossible to > exploit but I wouldn't buy that just yet: > http://www.dovecot.org/pipermail/dovecot/2014-October/098248.html
Thanks. But the patch does not make SSLv3 configurable, it just blocks it in a hardcoded way. This may be acceptable to some, but I'm reluctant to release this patch through the LTS security channel, because there's no way to avoid any breakage by admins except for not installing the update. Especially because, contrary to web browsers, we do not have a clear picture of the state of SSL/TLS version support in mail clients out there, so the impact is hard to measure. Thijs -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
