PDA

View Full Version : SLES 11 SP4 applied slessp4-cyrus-imapd-12589 Outlook could not connect



jimsmithson
09-Jun-2016, 20:54
Outlook 2007

Patch description would seem to imply patch is fully backward compatible but it is not.

Jun 9 13:08:21 debsweb imaps[24533]: imapd:Loading hard-coded DH parameters
Jun 9 13:08:21 debsweb imaps[24533]: SSL_accept() incomplete -> wait
Jun 9 13:08:21 debsweb imaps[24533]: EOF in SSL_accept() -> fail
Jun 9 13:08:21 debsweb imaps[24533]: imaps TLS negotiation failed: gateway [XXXXXXX]
Jun 9 13:08:21 debsweb imaps[24533]: Fatal error: tls_start_servertls() failed
Jun 9 13:08:21 debsweb master[23853]: process 24533 exited, status 75

┌───────────────────────────────────────────────── ────────────────────────────────────────────────── ─────────────────────┐
│Patch: slessp4-cyrus-imapd-12589 Kind: security Version: 1 ┬
│ ┴
│This update for cyrus-imapd fixes the following issues: - Previous versions of cyrus-imapd would not allow its users to │
│disable old SSL variants that are vulnerable to attacks like BEAST and POODLE. This patch adds the configuration option │
│'tls_versions' to remedy that issue. Note that users who upgrade an existing installation will *not* have their │
│imapd.conf file overwritten, i.e. their IMAP server will continue to support SSLv2 and SSLv3 like before. To disable │
│support for those protocols, edit imapd.conf manually to include "tls_versions: tls1_0 tls1_1 tls1_2". New │
│installations, however, will have an imapd.conf file that contains these settings already, i.e. newly installed IMAP │
│servers do *not* support unsafe versions of SSL unless that support is explicitly enabled by the user. (bsc#901748) - An┬
│integer overflow vulnerability in cyrus-imapd's urlfetch range checking code was fixed. (CVE-2015-8076, CVE-2015-8077, ┴
│CVE-2015-8078, bsc#981670, bsc#954200, bsc#954201) - Support for Elliptic Curve Diffie–Hellman (ECDH) has been added to │
│cyrus-imapd. (bsc#860611) │
│References: │
│981670 (bugzilla): VUL-0: CVE-2015-8076: cyrus-imapd: urlfetch range handling flaw in Cyrus │
│901748 (bugzilla): VUL-1: CVE-2014-3566: cyrus-imap: POODLE: add patch to allow disabling of SSL │
│954200 (bugzilla): VUL-0: CVE-2015-8077: cyrus-imapd: Integer overflow in range checks ┬
│954201 (bugzilla): VUL-0: CVE-2015-8078: cyrus-imapd: Integer overflow in index_urlfetch ┴
│860611 (bugzilla): cyrus-imapd: enable ECDHE support │
│CVE-2015-8076 (cve): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8076 │
│CVE-2015-8078 (cve): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8078 │
│CVE-2014-3566 (cve): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566 ┬
│CVE-2015-8077 (cve): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8077 ┴

Automatic Reply
15-Jun-2016, 05:30
jimsmithson,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

These forums are peer-to-peer, best effort, volunteer run and that if your issue
is urgent or not getting a response, you might try one of the following options:

- Visit http://www.suse.com/support and search the knowledgebase and/or check all
the other support options available.
- Open a service request: https://www.suse.com/support
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.suse.com)

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.suse.com/faq.php

If this is a reply to a duplicate posting or otherwise posted in error, please
ignore and accept our apologies and rest assured we will issue a stern reprimand
to our posting bot..

Good luck!

Your SUSE Forums Team
http://forums.suse.com

wornetche
20-Jun-2016, 16:36
We have exactly the same problem after we applied cyrus-imapd-2.3.11-60.65.67.1

Already tried - with no effect:
* appended 1024- and 2048-bit DH-Keys to SSL-Key-File to get rid of "Loading hard-coded DH parameters"
* tried all permutations of "tls_versions: tls1_0 tls1_1 tls1_2" in imapd.conf
* compared imapd.conf with working Server on Ubuntu 14.04

Clients working:
* openssl s_client -connect 127.0.0.1:993
* Blackberry 10
* some Android- and Windows Phones
* Linux-based Webmail

Good Ideas welcome!

Best regards,
Christian


Outlook 2007

Patch description would seem to imply patch is fully backward compatible but it is not.

Jun 9 13:08:21 debsweb imaps[24533]: imapd:Loading hard-coded DH parameters
Jun 9 13:08:21 debsweb imaps[24533]: SSL_accept() incomplete -> wait
Jun 9 13:08:21 debsweb imaps[24533]: EOF in SSL_accept() -> fail
Jun 9 13:08:21 debsweb imaps[24533]: imaps TLS negotiation failed: gateway [XXXXXXX]
Jun 9 13:08:21 debsweb imaps[24533]: Fatal error: tls_start_servertls() failed
Jun 9 13:08:21 debsweb master[23853]: process 24533 exited, status 75

┌───────────────────────────────────────────────── ────────────────────────────────────────────────── ─────────────────────┐
│Patch: slessp4-cyrus-imapd-12589 Kind: security Version: 1 ┬
│ ┴
│This update for cyrus-imapd fixes the following issues: - Previous versions of cyrus-imapd would not allow its users to │
│disable old SSL variants that are vulnerable to attacks like BEAST and POODLE. This patch adds the configuration option │
│'tls_versions' to remedy that issue. Note that users who upgrade an existing installation will *not* have their │
│imapd.conf file overwritten, i.e. their IMAP server will continue to support SSLv2 and SSLv3 like before. To disable │
│support for those protocols, edit imapd.conf manually to include "tls_versions: tls1_0 tls1_1 tls1_2". New │
│installations, however, will have an imapd.conf file that contains these settings already, i.e. newly installed IMAP │
│servers do *not* support unsafe versions of SSL unless that support is explicitly enabled by the user. (bsc#901748) - An┬
│integer overflow vulnerability in cyrus-imapd's urlfetch range checking code was fixed. (CVE-2015-8076, CVE-2015-8077, ┴
│CVE-2015-8078, bsc#981670, bsc#954200, bsc#954201) - Support for Elliptic Curve Diffie–Hellman (ECDH) has been added to │
│cyrus-imapd. (bsc#860611) │
│References: │
│981670 (bugzilla): VUL-0: CVE-2015-8076: cyrus-imapd: urlfetch range handling flaw in Cyrus │
│901748 (bugzilla): VUL-1: CVE-2014-3566: cyrus-imap: POODLE: add patch to allow disabling of SSL │
│954200 (bugzilla): VUL-0: CVE-2015-8077: cyrus-imapd: Integer overflow in range checks ┬
│954201 (bugzilla): VUL-0: CVE-2015-8078: cyrus-imapd: Integer overflow in index_urlfetch ┴
│860611 (bugzilla): cyrus-imapd: enable ECDHE support │
│CVE-2015-8076 (cve): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8076 │
│CVE-2015-8078 (cve): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8078 │
│CVE-2014-3566 (cve): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566 ┬
│CVE-2015-8077 (cve): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8077 ┴

wornetche
20-Jun-2016, 17:00
Rolled back:



zypper install --oldpackage cyrus-imapd-2.3.11-60.65.64.1


this temporarily fixed it, until next Updates are applied ....