Heads up:
Running SurgeMail 6.6c-1 on SmartOS (Solaris-x64), I found that users could not retrieve email over IMAP using iOS 7.1 Apple Mail. Attachments and/or the entire message body would not load.
I reverted to 6.6a-1 before I could do further testing. We are now vulnerable again, but iOS Mail works.
Waiting to hear from support on this, but if anybody is running 6.6c-1 on Solaris-x64 without seeing this issue I'd be happy to hear about it and would start looking for problems on my end.
Best,
Chris
Am 09.04.2014 um 16:13 schrieb Lyle HIDDEN@crcomputer.info>:
> Over 14 hrs on the new build and no resets.
>
> Lyle
>
> On 4/8/2014 8:15 PM, Lyle Giese wrote:
>> I hour 5 mins no restarts on 6.6.d-2
>>
>> Lyle
>>
>> On 04/08/14 19:10, Lyle Giese wrote:
>>> This one has lasted about 10 mins without restarting!
>>>
>>> Lyle Giese
>>> LCR Computer Services, Inc.
>>>
>>> On 04/08/14 18:54, surgemail-support wrote:
>>>> Here is a fix. I would appreciate confirmation if it is/isn't stable with that.
>>>> http://netwinsite.com/ftp/misc/l64.tar.gz
>>>>
>>>>
>>>> ChrisP.
>>>>
>>>> Spoke too soon. restarted twice.
>>>>
>>>> I have sent the restart message to support.
>>>>
>>>> Lyle Giese
>>>> LCR Computer Services, Inc.
>>>>
>>>> On 04/08/14 18:22, Lyle Giese wrote:
>>>> Linux64 in place, tests good.
>>>>
>>>> Now to conduct full testing...
>>>>
>>>> Thanks!
>>>> Lyle Giese
>>>> LCR Computer Services, Inc.
>>>>
>>>> On 04/08/14 18:06, surgemail-support wrote:
>>>> Thanks for spotting that, looks like we updated that build in june last year for some reason. We'll check the others to be sure.
>>>> Solaris Intel 64 Binary http://netwinsite.com/ftp/misc/si64.tar.gz
>>>> Linux 64 Bit binary http://netwinsite.com/ftp/misc/l64.tar.gz
>>>> Windows binary http://netwinsite.com/ftp/misc/v1.zip
>>>> Full distributions will be done shortly but the above should be sufficient for anyone who needs a fix in a hurry.
>>>> (stop surgemail, replace the binary, start surgemail)
>>>> ChrisP.
>>>>
>>>> Chris,
>>>> If all other platforms were running OpenSSL v0.98 until a few
>>>> days ago, why is our release (SurgeMail Version 6.5b-52, Built
>>>> Jan 11 2014 10:30:54, Platform Linux_64 (Surgeweb Enabled))
>>>> running 1.0.1e?
>>>> mail1:~# tellmail status | grep OpenSSL
>>>> SSL/TLS (OpenSSL 1.0.1e 11 Feb 2013), Allow=(*)
>>>> mail1:~#
>>>> Perhaps because we got a custom build?
>>>> Regards,
>>>> Frank
>>>> From: surgemail-support [mailto:surgemailHIDDEN@t@netwinsite.com]
>>>> Sent: Tuesday, April 08, 2014 5:00 PM
>>>> To: surgemailHIDDEN@etwinsite.com
>>>> Subject: re: Re: [SurgeMail List] CVE-2014-0160 a. k. a.Heartbleed
>>>> Right, as far as I can recall all platforms other than solaris
>>>> x86 were on 9.8 of openssl until a few days ago (because we
>>>> preferred the stability of that version) then about a week ago we
>>>> started changing to 1.0.1f on linux and windows to allow the use
>>>> of some of the better encryption features it provided to protect
>>>> ya'll from the NSA :-).
>>>> So to quickly check if you have a problem do this:
>>>> WINDOWS: tellmail status | find "OpenSSL"
>>>> SSL/TLS (OpenSSL 1.0.1f 6 Jan 2014), Allow=(*)
>>>> UNIX: tellmail status | grep "OpenSSL"
>>>> SSL/TLS (OpenSSL 1.0.1f 6 Jan 2014), Allow=(*)
>>>> If you see '1.0.1' then you have a problem, if you see 0.9.8...
>>>> then you are all good and can relax.
>>>> We will be doing new builds for all affected systems in the next
>>>> hour or two and will post the
>>>> builds to this list.
>>>> ChrisP.
>>>> Both 6.5a and 6.6a for Solaris x64 are vulnerable.
>>>> It would be great to get some guidance from NetWin on this.
>>>> They may, of course, be busy right now.
>>>> Best,
>>>> Chris
>>>> Am 08.04.2014 um 23:35 schrieb Steffen
>>>> HIDDEN@n@land10.nl<mailto:steffen@land10.nl>>:
>>>> I am running Windows 6.6b-7 (has 0.9.8r) and it is statically
>>>> linked. So that is save. I hope that Netwin is not supplying a
>>>> build with 1..0.1f for Windows and other platforms.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>
>
|
