I am running Windows 6.6b-7 (has 0.9.8r) and it is statically linked. So that is save. I hope that Netwin is not supplying a build with 1..0.1f for Windows and other platforms.
Note, that I am running Surge Webmail behind IIS and Apache ( IIS <==> Apache <==> Surge), so not vulnerable in any case.
Steffen On Tuesday 08/04/2014 at 23:21, Chris Ferebee wrote: Steffen,
AFAICS SurgeMail is statically linked to OpenSSL, at least on OS X and Solaris x64, cf. also the release note on version 6.6b-9. (Experimental Windows build with OpenSSL 1.0.1f.)
But every platform appears to have a different version, presumably whatever is well-supported. I tested SurgeMail 6.6a on OS X 10.6.8 and SmartOS. The OS X build was not vulnerable, the Solaris x64 one was.
Best, Chris
Am 08.04.2014 um 22:11 schrieb Steffen <HIDDEN@n@land10.nl>:
Current OpenSSL version of Surgemail is 0.9.8r. OpenSSL 0.9.8 branch is NOT vulnerable. Steffen On Tuesday 08/04/2014 at 21:59, Peter Dyke wrote:
Interestingly enough, when using the self-signed cert, SurgeMail Version 6.5b-13, Built Oct 17 2013 08:35:02, Platform Linux_64 simply does not run the Heartbleed test script, instead returns dial tcp 143..*.*.*:443: connection refused (IP address redacted) On 4/8/2014 12:29 PM, Chris Ferebee wrote:
It’s a doozy all right. There’s a nice overview at <https://maclemon.at/blog/2014/04/07/openssl-heartbeat-cve-2014-0160/> with links to some sample exploits as python scripts. You can run them (non-destructively) against your SurgeMail server to see what they turn up. I saw a bunch of sensitive information when I tried it earlier today. It is perfectly possible that this can be exploited to divulge your SSL private keys. We will all need to revoke our certificates and order new ones once we’re patched. It might be appropriate to issue new mail passwords. If you can install your certs on your load-balancer and proxy the SSL traffic, yes, that seems like it would help, as long as your load-balancer is not vulnerable. Best, Chris Am 08.04.2014 um 21:00 schrieb Frank Bulk <HIDDEN@mypremieronline..com>:
When I reviewed the issue last night I wasn't overly concerned, thinking this was more MiTM attack, but after reviewing http://heartbleed.com/ more carefully, it seems like they could potentially walk through memory in 64 kilobyte chunks and retrieve other content. Can we get some new binaries yet today? Is the temporary mitigation to use SSL from the load-balancer in front of our two Surgemail servers? Regards, Frank -----Original Message----- From: Chris Ferebee [mailtoHIDDEN@ebee.net] Sent: Tuesday, April 08, 2014 6:46 AM To: surgemailHIDDEN@etwinsite.com Subject: [SurgeMail List] CVE-2014-0160 a. k. a. Heartbleed ChrisP, Marijn, When you have a moment, could you please let us know what the status of SurgeMail is WRT the CVE-2014-0160 a. k. a. Heartbleed SSL exploit? I have a server running SurgeMail 6.6a on a version of SmartOS (Solaris x64) with OpenSSL 1.0.1e installed, and it is vulnerable as per <http://filippo.io/Heartbleed/> and other example exploits. A different server running SurgeMail 6.6a on OS X 10.6.8 (which includes OpenSSL 0.9.8y) is not vulnerable. However, as far as I can tell, SurgeMail does not dynamically link OpenSSL from the host platform in either case and therefore presumably comes with its own, statically linked version. Therefore, it appears that we urgently need a fixed version of SurgeMail, e. g. 6.6a, in my case for Solaris x64, presumably also for some of the other platforms. Do you have an ETA for that yet? Best, Chris
|