ChrisP,

Related to this, as I consider our upgrade plans:

After Heartbleed, we upgraded to the latest 6.6 beta then available, but had to downgrade to the Heartbleed-patched version of 6.5 due to iOS IMAP issues.

It seems you pulled 6.6 off the beta page at some point - the web page continues to list 6.5a-2, while the iOS issues are listed as fixed in 6.6d-3 in the SurgeMail release notes.

Is there something else you currently consider pre-beta about 6.6?

Thanks,
Chris


Am 10.06.2014 um 01:10 schrieb surgemail-support <surgemailHIDDEN@t@netwinsite.com>:

> Thanks for pointing this out.
>  
> Just to clarify my original comment, I meant none of the serious issues on that list of patches, I should have been more specific, I was looking for issues that required immediate action.  (e.g. it's not vulnerable to the attacks that allow someone to break into a server or crash it or easily expose user data etc).
>  
> A man in the middle attack although serious in the long term for security is not something that a general hacker can use to spy on your users as getting 'in the middle' is at least relatively difficult, and even then it only applies when the client software also has the same fault.
>  
> Anyway, we just meant there was no huge rush it's not even in the same ballpark as the heartbleed issue  :-).   But yes you do want to upgrade to these new builds if you want to ensure you have the best security. 
>  
> Use the latest 6.6d versions in this folder:
>     http://netwinsite.com/ftp/surgemail/specials
>  
> While we are on the topic, you should also turn on this setting:
>     g_ssl_perfect "true"
> This uses some better defaults for ssl ciphers which increase security, and also works better with certain broken mail servers (noteably some versions of exchange)
>  
> Alternatively if you prefer to wait for a beta/release cycle then we expect to move these builds through to beta in the next few days if no issues surface.
>  
> ChrisP
>> SurgeMail Version 6.6d-3, Built Apr 10 2014 12:11:50, Platform Linux_64
>> displays as vulnerable to the SSL/TLS MITM vulnerability (CVE-2014-0224)
>> using Red Hat's CSS Injection Detector
>> (https://access.redhat.com/labs/ccsinjectiontest/).
>>  
>>> On 05. 06. 14 23:54, surgemail-support wrote:
>>> No we just looked through that list and it appears none of those
>>> issues are relevant for surgemail's use of SSL.
>>> We will release a new beta late next week with new SSL libraries
>>> anyway just incase but there doesn't seem to be any urgent need for it
>>> based on SSL.
>>> ChrisP.
>>>  
>>> --
>>> Christopher Greiner
>>> Université de Lausanne
>>> Centre informatique
>>> Amphimax
>>> CH-1015 Lausanne
>>>  
>>> E-mail: Christopher.Greiner [at] unil.ch
>>> Tel: +41 21 692 21 93
>>> URL: http://www.unil.ch/ci/
>>>