Bug 41378

Summary: Disable SSLv2 and SSLv3 in Cyrus IMAPD (3.3)
Product: UCS Reporter: Arvid Requate <requate>
Component: MailAssignee: Felix Botner <botner>
Status: CLOSED FIXED QA Contact: Daniel Tröder <troeder>
Severity: normal    
Priority: P3 CC: birkefeld, gohmann, grandjean, requate, schwardt, troeder
Version: UCS 3.3Flags: requate: Patch_Available+
Target Milestone: UCS 3.3-0-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: Security Issue What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional): Security
Max CVSS v3 score:
Bug Depends on: 40810    
Bug Blocks:    

Description Arvid Requate univentionstaff 2016-05-30 13:56:38 CEST 
Not fixed yet in UCS 3.3


+++ This bug was initially created as a clone of Bug #40810 +++

Cyrus still supports SSLv3 and even SSLv2 in our default configuration:

> tls_cipher_list: TLSv1:SSLv3:SSLv2:!NULL:!EXPORT:!DES:!LOW:@STRENGTH

This makes UCS 3.2 (and older) vulnerable to the DROWN attack: https://drownattack.com/

UCS 4.0 and 4.1 don't offer SSLv2 anymore, but still SSLv3, which is also considered "not sufficiently secure" -> https://datatracker.ietf.org/doc/rfc7568/
Comment 1 Felix Botner univentionstaff 2016-10-20 10:17:53 CEST 
merged changes from 3.2-8 to errata3.3-0

ucs-3.3/ucs-3.3-0/mail/univention-mail-cyrus: r73368

ucs-3.3-0/doc/errata/staging/univention-mail-cyrus.yaml
Comment 2 Daniel Tröder univentionstaff 2016-10-21 09:59:54 CEST 
OK: code merge
OK: manual test (echo "A LOGOUT" | openssl s_client -connect...)
OK: automatic test (40_mail/09_imap_ssl_versions)
OK: advisory

SSLv3 cannot be disabled in Cyrus without also disabling TLSv1 :/
Comment 3 Janek Walkenhorst univentionstaff 2016-10-27 17:56:14 CEST 
<http://errata.software-univention.de/ucs/3.3/20.html>