I can confirm 6.6c-1 running on SmartOS. (currently mirror slave only, I’ll be upgrading the master shortly if the slave is OK.)
To summarize:
SurgeMail 6.5a-1 and 6.6a-1 Solaris-x64 on SmartOS ARE vulnerable to Heartbleed
SurgeMail 6.6c-1 Solaris-x64 on SmartOS IS NOT vulnerable to Heartbleed
When checking for vulnerabilities, consider the following.
- As ChrisP has mentioned, tellmail status will report the OpenSSL version that is statically linked into SurgeMail. In 6.5a-1 and 6.6a-1 on Solaris-x64 the version is 1.0.1e (known to be vulnerable), on 6.6c-1 the version is 1.0.1g.
- Early reports on the web suggested checking for the vulnerability by running
against the server. This will report (at the beginning of the output) the TLS extensions the server claims to support, e. g. "renegotiate" and perhaps "heartbeat". However, note that running this command agains SurgeMail 6.6a-1 will NOT report support for heartbeat, and yet the server IS vulnerable. I presume that the extension is in fact supported, but not advertised by the server.
If you are unsure whether you are affected, verify, e. g. using the test service at
and UPGRADE NOW if you are. I strongly recommend revoking and re-issuing certs, and would suggest re-issuing all mail passwords. (I will be doing this as time permits.)
Safe computing all, and thanks again to NetWin for geting on top of this immediately.
Best,
Chris
A new SurgeMail beta set has been released to include the OpenSSL patch. This is available:
release info as per:
Marijn
On Wednesday 09/04/2014 at 10:00 am, surgemail-support wrote:
Right, as far as I can recall all platforms other than solaris x86 were on 9.8 of openssl until a few days ago (because we preferred the stability of that version) then about a week ago we started changing to 1.0.1f on linux and windows to allow the use of some of the better encryption features it provided to protect ya'll from the NSA :-).
So to quickly check if you have a problem do this:
WINDOWS: tellmail status | find "OpenSSL"
SSL/TLS (OpenSSL 1.0.1f 6 Jan 2014), Allow=(*)
UNIX: tellmail status | grep "OpenSSL"
SSL/TLS (OpenSSL 1.0.1f 6 Jan 2014), Allow=(*)
If you see '1.0.1' then you have a problem, if you see 0.9.8... then you are all good and can relax.
We will be doing new builds for all affected systems in the next hour or two and will post the
builds to this list.
ChrisP.
Both 6.5a and 6.6a for Solaris x64 are vulnerable.
It would be great to get some guidance from NetWin on this.
They may, of course, be busy right now.
Best,
Chris
I am running Windows 6.6b-7 (has 0.9.8r) and it is statically linked. So that is save. I hope that Netwin is not supplying a build with 1..0.1f for Windows and other platforms.
