Vulnerability STARTTLS in Courier - CVE-2011-0411

[HostaHost]

Anyone know of a patch for 9.5.4 that fixes CVE-2011-0411 (Plaintext starttls) vulnerability?

Parallels appears to have released a patch specific to qmail http://kb.odin.com/en/111152 but it doesn't fix the same issue in Courier.

 

[IgorG]

You can disable plaintext login in courier imap by editing /etc/courier-imap/imapd-ssl to set IMAP_TLS_REQUIRED to 1.

 

[Amin Taheri]

So verify it is set to 0 first

# grep IMAP_TLS_REQUIRED /etc/courier-imap/imapd-ssl
##NAME: IMAP_TLS_REQUIRED:1
# Set IMAP_TLS_REQUIRED to 1 if you REQUIRE STARTTLS for everyone.
#IMAP_TLS_REQUIRED=0
IMAP_TLS_REQUIRED=0

then turn it off

# perl -pi -e 's/IMAP_TLS_REQUIRED=0/IMAP_TLS_REQUIRED=1/' /etc/courier-imap/imapd-ssl

Then verify its off

# grep IMAP_TLS_REQUIRED /etc/courier-imap/imapd-ssl
##NAME: IMAP_TLS_REQUIRED:1
# Set IMAP_TLS_REQUIRED to 1 if you REQUIRE STARTTLS for everyone.
#IMAP_TLS_REQUIRED=1
IMAP_TLS_REQUIRED=1

restart the service

service courier-imap restart

 

[IgorG]

Sorry, my mistake.
IMAP_TLS_REQUIRED to 1 is not solution for CVE-2011-0411.
We will release patch for fixing this issue. Patch will be included to nearest MU.

 

[HostaHost]

Was a micro update ever released for this? And is there one for Plesk 8? 8 seems to have gotten a MU for the same issue in qmail but not in courier.

 

[HostaHost]

Can I PLEASE have a reply to this? As far as I can tell, Parallels has not released an MU for Courier in Plesk 8, leaving this vulnerability open for a year.

 

[WileyC]

Ticket #1349462,......waiting for a response.

 

[HostaHost]

Ticket #1349462,......waiting for a response.

Could you let me know what you find out? Been waiting on a response to this for quite some time and they just ignore it.

 

[WileyC]

Ticket #1349462,......waiting for a response.

RE: Plesk Ticket #1349462

All microupdates have already been installed and failed to address this vulnerability. What command (commandline) did you run to verify the microupdates are installed? What is the external command (commandline) you ran to verify your microupdate is working and is compliance with CVE?

 

[HostaHost]

The microupdates definitely don't address that in courier, they only fix it in the qmail smtp server.

 

[IgorG]

RE: Plesk Ticket #1349462

All microupdates have already been installed and failed to address this vulnerability. What command (commandline) did you run to verify the microupdates are installed? What is the external command (commandline) you ran to verify your microupdate is working and is compliance with CVE?

Why you have not continue this ticket and allow to resolve it by supporter?

 

[HostaHost]

Why you have not continue this ticket and allow to resolve it by supporter?

Are you suggesting that a solution exists? I have all the updates on countless servers and I don't see any resolution to this particular issue in Parallels' version of Courier.

 

[IgorG]

I just thought that ticket should not be resolved until proper solution will not be provided.

 

[HostaHost]

I just thought that ticket should not be resolved until proper solution will not be provided.

You had said back in July that a patch would be released; has that occurred?

 

[IgorG]

This issue has been fixed since fixed 10.3.1 MU#4 version.

 

[HostaHost]

This issue has been fixed since fixed 10.3.1 MU#4 version.

What about users of 8 who can't upgrade because of bugs in the upgrade process that would break those systems? We need a fix for this for 8.6, or release the source rpm for the Plesk courier build so we can patch and deploy ourselves.

 

[IgorG]

We have already request of patch for whole 9.x branch. I will update thread when it will be ready.

 

[HostaHost]

Igor, can I please have an update on this for Plesk 8.6 and 9.5.4? We really need to close this vulnerability in servers running both of those versions. I'm sure it would be quite easy to patch the courier version for both releases as they're both running 3.0.8, just like 10.4 is.

Or can we get a source rpm for the modified courier version that Parallels is using so we can patch and recompile? I believe this is mandated by the license Courier is distributed under regardless.

 

[IgorG]

Igor, can I please have an update on this for Plesk 8.6 and 9.5.4? We really need to close this vulnerability in servers running both of those versions. I'm sure it would be quite easy to patch the courier version for both releases as they're both running 3.0.8, just like 10.4 is.

Or can we get a source rpm for the modified courier version that Parallels is using so we can patch and recompile? I believe this is mandated by the license Courier is distributed under regardless.

I strongly recommend you subscribe to our RSS feed here http://www.parallels.com/products/plesk/
We have already published corresponding MU and KB articles:

http://kb.parallels.com/en/113563 - Parallels Plesk Panel 8.6.0 MU#13
http://kb.parallels.com/en/113565 - Parallels Plesk Panel 9.5.4 MU#19

 

[HostaHost]

The last time a security update went un-noticed I was told to subscribe to the mailing list, now I'm being told to subscribe to an RSS feed. Does Parallels have any one single definitive source of when and where these updates will be released since everyone seems to suggest something other than what everyone else suggests, and none of them appear to be correct?