Thanks for pointing this out.
Just to clarify my original comment, I meant none of the serious
issues on that list of patches, I should have been more specific, I was looking
for issues that required immediate action. (e.g. it's not vulnerable to
the attacks that allow someone to break into a server or crash it or easily
expose user data etc).
A man in the middle attack although serious in the long term for
security is not something that a general hacker can use to spy on your
users as getting 'in the middle' is at least relatively difficult, and even then
it only applies when the client software also has the same fault.
Anyway, we just meant there was no huge rush it's not even in the same
ballpark as the heartbleed issue :-). But yes you do want to
upgrade to these new builds if you want to ensure you have the best
security.
Use the latest 6.6d versions in this folder:
While we are on the topic, you should also turn on this setting:
g_ssl_perfect "true"
This uses some better defaults for ssl ciphers which increase security, and
also works better with certain broken mail servers (noteably some versions of
exchange)
Alternatively if you prefer to wait for a beta/release cycle then we expect
to move these builds through to beta in the next few days if no issues
surface.
ChrisP
SurgeMail Version 6.6d-3, Built Apr 10 2014 12:11:50, Platform Linux_64
displays as vulnerable to the SSL/TLS MITM vulnerability (CVE-2014-0224)
using Red Hat's CSS Injection Detector
(https://access.redhat.com/labs/ccsinjectiontest/).
On 05. 06. 14 23:54, surgemail-support wrote:
No we just looked through that list and it appears none of those
issues are relevant for surgemail's use of SSL.
We will release a new beta late next week with new SSL libraries
anyway just incase but there doesn't seem to be any urgent need for it
based on SSL.
ChrisP.
--
Christopher Greiner
Université de Lausanne
Centre informatique
Amphimax
CH-1015 Lausanne
E-mail: Christopher.Greiner [at] unil.ch
Tel: +41 21 692 21 93
URL: http://www.unil.ch/ci/
