1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Vulnerability STARTTLS in Courier - CVE-2011-0411

Discussion in 'Plesk 9.x for Linux Issues, Fixes, How-To' started by Hostasaurus.Com, Jul 19, 2011.

  1. Hostasaurus.Com

    Hostasaurus.Com Regular Pleskian

    30
    68%
    Joined:
    Oct 8, 2009
    Messages:
    465
    Likes Received:
    8
    Anyone know of a patch for 9.5.4 that fixes CVE-2011-0411 (Plaintext starttls) vulnerability?

    Parallels appears to have released a patch specific to qmail http://kb.odin.com/en/111152 but it doesn't fix the same issue in Courier.
     
  2. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,546
    Likes Received:
    1,240
    Location:
    Novosibirsk, Russia
    You can disable plaintext login in courier imap by editing /etc/courier-imap/imapd-ssl to set IMAP_TLS_REQUIRED to 1.
     
  3. Amin Taheri

    Amin Taheri Golden Pleskian Plesk Certified Professional

    33
     
    Joined:
    Jul 5, 2007
    Messages:
    1,398
    Likes Received:
    1
    Location:
    Seattle Area
    So verify it is set to 0 first

    then turn it off
    Then verify its off

    restart the service
     
  4. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,546
    Likes Received:
    1,240
    Location:
    Novosibirsk, Russia
    Sorry, my mistake.
    IMAP_TLS_REQUIRED to 1 is not solution for CVE-2011-0411.
    We will release patch for fixing this issue. Patch will be included to nearest MU.
     
  5. Hostasaurus.Com

    Hostasaurus.Com Regular Pleskian

    30
    68%
    Joined:
    Oct 8, 2009
    Messages:
    465
    Likes Received:
    8
    Was a micro update ever released for this? And is there one for Plesk 8? 8 seems to have gotten a MU for the same issue in qmail but not in courier.
     
  6. Hostasaurus.Com

    Hostasaurus.Com Regular Pleskian

    30
    68%
    Joined:
    Oct 8, 2009
    Messages:
    465
    Likes Received:
    8
    Can I PLEASE have a reply to this? As far as I can tell, Parallels has not released an MU for Courier in Plesk 8, leaving this vulnerability open for a year.
     
  7. WileyC

    WileyC New Pleskian

    15
    55%
    Joined:
    Aug 11, 2010
    Messages:
    2
    Likes Received:
    0
    Ticket #1349462,......waiting for a response.
     
  8. Hostasaurus.Com

    Hostasaurus.Com Regular Pleskian

    30
    68%
    Joined:
    Oct 8, 2009
    Messages:
    465
    Likes Received:
    8
    Could you let me know what you find out? Been waiting on a response to this for quite some time and they just ignore it.
     
  9. WileyC

    WileyC New Pleskian

    15
    55%
    Joined:
    Aug 11, 2010
    Messages:
    2
    Likes Received:
    0
    RE: Plesk Ticket #1349462

    All microupdates have already been installed and failed to address this vulnerability. What command (commandline) did you run to verify the microupdates are installed? What is the external command (commandline) you ran to verify your microupdate is working and is compliance with CVE?
     
  10. Hostasaurus.Com

    Hostasaurus.Com Regular Pleskian

    30
    68%
    Joined:
    Oct 8, 2009
    Messages:
    465
    Likes Received:
    8
    The microupdates definitely don't address that in courier, they only fix it in the qmail smtp server.
     
  11. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,546
    Likes Received:
    1,240
    Location:
    Novosibirsk, Russia
    Why you have not continue this ticket and allow to resolve it by supporter?
     
  12. Hostasaurus.Com

    Hostasaurus.Com Regular Pleskian

    30
    68%
    Joined:
    Oct 8, 2009
    Messages:
    465
    Likes Received:
    8
    Are you suggesting that a solution exists? I have all the updates on countless servers and I don't see any resolution to this particular issue in Parallels' version of Courier.
     
  13. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,546
    Likes Received:
    1,240
    Location:
    Novosibirsk, Russia
    I just thought that ticket should not be resolved until proper solution will not be provided.
     
  14. Hostasaurus.Com

    Hostasaurus.Com Regular Pleskian

    30
    68%
    Joined:
    Oct 8, 2009
    Messages:
    465
    Likes Received:
    8
    You had said back in July that a patch would be released; has that occurred?
     
  15. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,546
    Likes Received:
    1,240
    Location:
    Novosibirsk, Russia
    This issue has been fixed since fixed 10.3.1 MU#4 version.
     
  16. Hostasaurus.Com

    Hostasaurus.Com Regular Pleskian

    30
    68%
    Joined:
    Oct 8, 2009
    Messages:
    465
    Likes Received:
    8
    What about users of 8 who can't upgrade because of bugs in the upgrade process that would break those systems? We need a fix for this for 8.6, or release the source rpm for the Plesk courier build so we can patch and deploy ourselves.
     
    Last edited: Mar 21, 2012
  17. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,546
    Likes Received:
    1,240
    Location:
    Novosibirsk, Russia
    We have already request of patch for whole 9.x branch. I will update thread when it will be ready.
     
  18. Hostasaurus.Com

    Hostasaurus.Com Regular Pleskian

    30
    68%
    Joined:
    Oct 8, 2009
    Messages:
    465
    Likes Received:
    8
    Igor, can I please have an update on this for Plesk 8.6 and 9.5.4? We really need to close this vulnerability in servers running both of those versions. I'm sure it would be quite easy to patch the courier version for both releases as they're both running 3.0.8, just like 10.4 is.

    Or can we get a source rpm for the modified courier version that Parallels is using so we can patch and recompile? I believe this is mandated by the license Courier is distributed under regardless.
     
  19. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,546
    Likes Received:
    1,240
    Location:
    Novosibirsk, Russia
    I strongly recommend you subscribe to our RSS feed here http://www.parallels.com/products/plesk/
    We have already published corresponding MU and KB articles:

    http://kb.parallels.com/en/113563 - Parallels Plesk Panel 8.6.0 MU#13
    http://kb.parallels.com/en/113565 - Parallels Plesk Panel 9.5.4 MU#19
     
  20. Hostasaurus.Com

    Hostasaurus.Com Regular Pleskian

    30
    68%
    Joined:
    Oct 8, 2009
    Messages:
    465
    Likes Received:
    8
    The last time a security update went un-noticed I was told to subscribe to the mailing list, now I'm being told to subscribe to an RSS feed. Does Parallels have any one single definitive source of when and where these updates will be released since everyone seems to suggest something other than what everyone else suggests, and none of them appear to be correct?
     
Loading...