Chris,
From what I read, this is primarily an operating system issue. I don't
know about Solaris, but Debian based machines, like Ubuntu, have a
patch.
I took a look and I was still running 0.9.8 (I think like Steffan is)
which isn't vulnerable -- yet, so I updated to 1.0, then applied the
patch dated yesterday. Then I restarted the whole server since I don't
know all the services I am using that access the SSL -- probably a bunch
of them.
I'm not skilled enough to run python scripts.
------ Original Message ------
From: "Chris Ferebee" HIDDEN@ebee.net>
To: surgemailHIDDEN@etwinsite.com
Sent: 4/8/2014 5:20:26 PM
Subject: Spam:***********, Re: Spam:*********, Re: [SurgeMail List]
CVE-2014-0160 a. k. a.Heartbleed
>Steffen,
>
>AFAICS SurgeMail is statically linked to OpenSSL, at least on OS X and
>Solaris x64, cf. also the release note on version 6.6b-9. (Experimental
>Windows build with OpenSSL 1.0.1f.)
>
>But every platform appears to have a different version, presumably
>whatever is well-supported. I tested SurgeMail 6.6a on OS X 10.6.8 and
>SmartOS. The OS X build was not vulnerable, the Solaris x64 one was.
>
>Best,
>Chris
>
>Am 08.04.2014 um 22:11 schrieb Steffen HIDDEN@n@land10.nl>:
>
>>
>> Current OpenSSL version of Surgemail is 0.9.8r.
>>
>> OpenSSL 0.9.8 branch is NOT vulnerable.
>>
>> Steffen
>>
>>
>> On Tuesday 08/04/2014 at 21:59, Peter Dyke wrote:
>>> Interestingly enough, when using the self-signed cert,
>>>
>>> SurgeMail Version 6.5b-13, Built Oct 17 2013 08:35:02, Platform
>>>Linux_64
>>>
>>> simply does not run the Heartbleed test script, instead returns
>>>
>>> dial tcp 143.*.*.*:443: connection refused
>>>
>>> (IP address redacted)
>>>
>>>
>>> On 4/8/2014 12:29 PM, Chris Ferebee wrote:
>>>>
>>>> It’s a doozy all right. There’s a nice overview at
>>>>
>>>>
>>>><https://maclemon.at/blog/2014/04/07/openssl-heartbeat-cve-2014-0160/>
>>>>
>>>> with links to some sample exploits as python scripts. You can run
>>>>them (non-destructively) against your SurgeMail server to see what
>>>>they turn up. I saw a bunch of sensitive information when I tried it
>>>>earlier today. It is perfectly possible that this can be exploited
>>>>to divulge your SSL private keys. We will all need to revoke our
>>>>certificates and order new ones once we’re patched. It might be
>>>>appropriate to issue new mail passwords.
>>>>
>>>> If you can install your certs on your load-balancer and proxy the
>>>>SSL traffic, yes, that seems like it would help, as long as your
>>>>load-balancer is not vulnerable.
>>>>
>>>> Best,
>>>> Chris
>>>>
>>>> Am 08.04.2014 um 21:00 schrieb Frank Bulk
>>>>HIDDEN@mypremieronline.com>:
>>>>
>>>>>
>>>>> When I reviewed the issue last night I wasn't overly concerned,
>>>>>thinking this was more MiTM attack, but after reviewing
>>>>>http://heartbleed.com/ more carefully, it seems like they could
>>>>>potentially walk through memory in 64 kilobyte chunks and retrieve
>>>>>other content.
>>>>>
>>>>> Can we get some new binaries yet today?
>>>>>
>>>>> Is the temporary mitigation to use SSL from the load-balancer in
>>>>>front of our two Surgemail servers?
>>>>>
>>>>> Regards,
>>>>>
>>>>> Frank
>>>>>
>>>>> -----Original Message-----
>>>>> From: Chris Ferebee [mailtoHIDDEN@ebee.net]
>>>>> Sent: Tuesday, April 08, 2014 6:46 AM
>>>>> To: surgemailHIDDEN@etwinsite.com
>>>>> Subject: [SurgeMail List] CVE-2014-0160 a. k. a. Heartbleed
>>>>>
>>>>> ChrisP, Marijn,
>>>>>
>>>>> When you have a moment, could you please let us know what the
>>>>>status of SurgeMail is WRT the CVE-2014-0160 a. k. a. Heartbleed
>>>>>SSL exploit?
>>>>>
>>>>> I have a server running SurgeMail 6.6a on a version of SmartOS
>>>>>(Solaris x64) with OpenSSL 1.0.1e installed, and it is vulnerable
>>>>>as per
>>>>>
>>>>> <http://filippo.io/Heartbleed/>
>>>>>
>>>>> and other example exploits. A different server running SurgeMail
>>>>>6.6a on OS X 10.6.8 (which includes OpenSSL 0.9.8y) is not
>>>>>vulnerable.
>>>>>
>>>>> However, as far as I can tell, SurgeMail does not dynamically link
>>>>>OpenSSL from the host platform in either case and therefore
>>>>>presumably comes with its own, statically linked version.
>>>>>
>>>>> Therefore, it appears that we urgently need a fixed version of
>>>>>SurgeMail, e. g. 6.6a, in my case for Solaris x64, presumably also
>>>>>for some of the other platforms. Do you have an ETA for that yet?
>>>>>
>>>>> Best,
>>>>> Chris
>>>>>
>>>>>
>>>>>
>>>>>
>>>
>>>
>>
>>
>>
>>
>
---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
|
