Bug 737416
| Summary: | Upgrade to Fedora 15 enabled insecure login | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | David Woodhouse <dwmw2> |
| Component: | dovecot | Assignee: | Michal Hlavinka <mhlavink> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 16 | CC: | mhlavink |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | dovecot-2.0.15-1.fc16 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-10-13 23:52:13 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
David Woodhouse
2011-09-11 22:24:31 UTC
I'll change it in Fedora 16 and rawhide. I don't want to break F15 installations. I understand the reticence but I'm not sure there are many people who would consider that 'breakage'. I would ask that you reconsider, and *do* disable the unencrypted logins for Fedora 15. Or failing that, is there at least a way to disable plain-text auth mechanisms lile PLAIN when you're on an unencrypted connection, and only accept things like CRAM-MD5 that don't give the password away? Logging in over an unencrypted protocol with a plain-text password is *such* a broken thing that I would want a big shouty warning (like the one that sudo sends in email when a non-sudoer tries) if it ever happens. I understand your concerns, but it could break existing setups. Fixing this in released distro is too difficult. Also using more "advanced" configuration can cause even bigger breakage, because dovecot.conf is split in several files. If we change 2 files foo.cfg and bar.cfg where user changed bar.cfg he gets only half of the changes, because config file is updated only if user did not change it. So we can break it easily and can't guarantee that user gets required changes. So I'm not going to change anything in Fedora 15, sorry. dovecot-2.0.14-2.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/dovecot-2.0.14-2.fc16 Package dovecot-2.0.14-2.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing dovecot-2.0.14-2.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/dovecot-2.0.14-2.fc16 then log in and leave karma (feedback). dovecot-2.0.15-1.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/dovecot-2.0.15-1.fc15 dovecot-2.0.15-1.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/dovecot-2.0.15-1.fc14 dovecot-2.0.15-1.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/dovecot-2.0.15-1.fc16 dovecot-2.0.15-1.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report. dovecot-2.0.15-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. dovecot-2.0.15-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. |