How does that information jive with the confirmed reports that Surgemail is leaking information?
Frank
-----Original Message-----
From: Steffen [mailto:steffen@land10.nl]
Sent: Tuesday, April 08, 2014 3:12 PM
To: surgemail-list@netwinsite.com
Subject: Re: [SurgeMail List] CVE-2014-0160 a. k. a.Heartbleed
Current OpenSSL version of Surgemail is 0.9.8r.
OpenSSL 0.9.8 branch is NOT vulnerable.
Steffen
On Tuesday 08/04/2014 at 21:59, Peter Dyke wrote:
> Interestingly enough, when using the self-signed cert,
>
> SurgeMail Version 6.5b-13, Built Oct 17 2013 08:35:02, Platform
> Linux_64
>
> simply does not run the Heartbleed test script, instead returns
>
> dial tcp 143.*.*.*:443: connection refused
>
> (IP address redacted)
>
>
> On 4/8/2014 12:29 PM, Chris Ferebee wrote:
>>
>> It’s a doozy all right. There’s a nice overview at
>>
>> <https://maclemon.at/blog/2014/04/07/openssl-heartbeat-cve-2014-0160/>
>>
>> with links to some sample exploits as python scripts. You can run them
>> (non-destructively) against your SurgeMail server to see what they
>> turn up. I saw a bunch of sensitive information when I tried it
>> earlier today. It is perfectly possible that this can be exploited to
>> divulge your SSL private keys. We will all need to revoke our
>> certificates and order new ones once we’re patched. It might be
>> appropriate to issue new mail passwords.
>>
>> If you can install your certs on your load-balancer and proxy the SSL
>> traffic, yes, that seems like it would help, as long as your
>> load-balancer is not vulnerable.
>>
>> Best,
>> Chris
>>
>> Am 08.04.2014 um 21:00 schrieb Frank Bulk <fbulk@mypremieronline.com>:
>>
>>>
>>> When I reviewed the issue last night I wasn't overly concerned,
>>> thinking this was more MiTM attack, but after reviewing
>>> http://heartbleed.com/ more carefully, it seems like they could
>>> potentially walk through memory in 64 kilobyte chunks and retrieve
>>> other content.
>>>
>>> Can we get some new binaries yet today?
>>>
>>> Is the temporary mitigation to use SSL from the load-balancer in front
>>> of our two Surgemail servers?
>>>
>>> Regards,
>>>
>>> Frank
>>>
>>> -----Original Message-----
>>> From: Chris Ferebee [mailto:cf@ferebee.net]
>>> Sent: Tuesday, April 08, 2014 6:46 AM
>>> To: surgemail-list@netwinsite.com
>>> Subject: [SurgeMail List] CVE-2014-0160 a. k. a. Heartbleed
>>>
>>> ChrisP, Marijn,
>>>
>>> When you have a moment, could you please let us know what the status
>>> of SurgeMail is WRT the CVE-2014-0160 a. k. a. Heartbleed SSL exploit?
>>>
>>> I have a server running SurgeMail 6.6a on a version of SmartOS
>>> (Solaris x64) with OpenSSL 1.0.1e installed, and it is vulnerable as
>>> per
>>>
>>> <http://filippo.io/Heartbleed/>
>>>
>>> and other example exploits. A different server running SurgeMail 6.6a
>>> on OS X 10.6.8 (which includes OpenSSL 0.9.8y) is not vulnerable.
>>>
>>> However, as far as I can tell, SurgeMail does not dynamically link
>>> OpenSSL from the host platform in either case and therefore presumably
>>> comes with its own, statically linked version.
>>>
>>> Therefore, it appears that we urgently need a fixed version of
>>> SurgeMail, e. g. 6.6a, in my case for Solaris x64, presumably also for
>>> some of the other platforms. Do you have an ETA for that yet?
>>>
>>> Best,
>>> Chris
>>>
>>>
>>>
>>>
>
>
|
