Wait. What are are these confirmed reports of leaked information?
What's being leaked?
On 4/8/2014 4:37 PM, Frank Bulk wrote:
> How does that information jive with the confirmed reports that Surgemail is leaking information?
>
> Frank
>
> -----Original Message-----
> From: Steffen [mailtoHIDDEN@n@land10.nl]
> Sent: Tuesday, April 08, 2014 3:12 PM
> To: surgemailHIDDEN@etwinsite.com
> Subject: Re: [SurgeMail List] CVE-2014-0160 a. k. a.Heartbleed
>
> Current OpenSSL version of Surgemail is 0.9.8r.
>
> OpenSSL 0.9.8 branch is NOT vulnerable.
>
> Steffen
>
>
> On Tuesday 08/04/2014 at 21:59, Peter Dyke wrote:
>> Interestingly enough, when using the self-signed cert,
>>
>> SurgeMail Version 6.5b-13, Built Oct 17 2013 08:35:02, Platform
>> Linux_64
>>
>> simply does not run the Heartbleed test script, instead returns
>>
>> dial tcp 143.*.*.*:443: connection refused
>>
>> (IP address redacted)
>>
>>
>> On 4/8/2014 12:29 PM, Chris Ferebee wrote:
>>> It’s a doozy all right. There’s a nice overview at
>>>
>>> <https://maclemon.at/blog/2014/04/07/openssl-heartbeat-cve-2014-0160/>
>>>
>>> with links to some sample exploits as python scripts. You can run them
>>> (non-destructively) against your SurgeMail server to see what they
>>> turn up. I saw a bunch of sensitive information when I tried it
>>> earlier today. It is perfectly possible that this can be exploited to
>>> divulge your SSL private keys. We will all need to revoke our
>>> certificates and order new ones once we’re patched. It might be
>>> appropriate to issue new mail passwords.
>>>
>>> If you can install your certs on your load-balancer and proxy the SSL
>>> traffic, yes, that seems like it would help, as long as your
>>> load-balancer is not vulnerable.
>>>
>>> Best,
>>> Chris
>>>
>>> Am 08.04.2014 um 21:00 schrieb Frank Bulk HIDDEN@mypremieronline.com>:
>>>
>>>> When I reviewed the issue last night I wasn't overly concerned,
>>>> thinking this was more MiTM attack, but after reviewing
>>>> http://heartbleed.com/ more carefully, it seems like they could
>>>> potentially walk through memory in 64 kilobyte chunks and retrieve
>>>> other content.
>>>>
>>>> Can we get some new binaries yet today?
>>>>
>>>> Is the temporary mitigation to use SSL from the load-balancer in front
>>>> of our two Surgemail servers?
>>>>
>>>> Regards,
>>>>
>>>> Frank
>>>>
>>>> -----Original Message-----
>>>> From: Chris Ferebee [mailtoHIDDEN@ebee.net]
>>>> Sent: Tuesday, April 08, 2014 6:46 AM
>>>> To: surgemailHIDDEN@etwinsite.com
>>>> Subject: [SurgeMail List] CVE-2014-0160 a. k. a. Heartbleed
>>>>
>>>> ChrisP, Marijn,
>>>>
>>>> When you have a moment, could you please let us know what the status
>>>> of SurgeMail is WRT the CVE-2014-0160 a. k. a. Heartbleed SSL exploit?
>>>>
>>>> I have a server running SurgeMail 6.6a on a version of SmartOS
>>>> (Solaris x64) with OpenSSL 1.0.1e installed, and it is vulnerable as
>>>> per
>>>>
>>>> <http://filippo.io/Heartbleed/>
>>>>
>>>> and other example exploits. A different server running SurgeMail 6.6a
>>>> on OS X 10.6.8 (which includes OpenSSL 0.9.8y) is not vulnerable.
>>>>
>>>> However, as far as I can tell, SurgeMail does not dynamically link
>>>> OpenSSL from the host platform in either case and therefore presumably
>>>> comes with its own, statically linked version.
>>>>
>>>> Therefore, it appears that we urgently need a fixed version of
>>>> SurgeMail, e. g. 6.6a, in my case for Solaris x64, presumably also for
>>>> some of the other platforms. Do you have an ETA for that yet?
>>>>
>>>> Best,
>>>> Chris
>>>>
>>>>
>>>>
>>>>
>>
>
>
>
>
|
