SurgeMail Archive: re: Re: [SurgeMail List] CVE-2014-0160 a. k. a.Heartbleed

Subject:	re: Re: [SurgeMail List] CVE-2014-0160 a. k. a.Heartbleed
From:	surgemail-support
Date:	08-Apr-2014
Here is a fix. I would appreciate confirmation if it is/isn't stable with that. http://netwinsite.com/ftp/misc/l64.tar.gz ChrisP. Spoke too soon. restarted twice. I have sent the restart message to support. Lyle Giese LCR Computer Services, Inc. On 04/08/14 18:22, Lyle Giese wrote: Linux64 in place, tests good. Now to conduct full testing... Thanks! Lyle Giese LCR Computer Services, Inc. On 04/08/14 18:06, surgemail-support wrote: Thanks for spotting that, looks like we updated that build in june last year for some reason. We'll check the others to be sure. Solaris Intel 64 Binary http://netwinsite.com/ftp/misc/si64.tar.gz Linux 64 Bit binary http://netwinsite.com/ftp/misc/l64.tar.gz Windows binary http://netwinsite.com/ftp/misc/v1.zip Full distributions will be done shortly but the above should be sufficient for anyone who needs a fix in a hurry. (stop surgemail, replace the binary, start surgemail) ChrisP. Chris, If all other platforms were running OpenSSL v0.98 until a few days ago, why is our release (SurgeMail Version 6.5b-52, Built Jan 11 2014 10:30:54, Platform Linux_64 (Surgeweb Enabled)) running 1.0.1e? mail1:~# tellmail status \| grep OpenSSL SSL/TLS (OpenSSL 1.0.1e 11 Feb 2013), Allow=() mail1:~# Perhaps because we got a custom build? Regards, Frank From: surgemail-support [mailto:surgemail-support@netwinsite.com] Sent: Tuesday, April 08, 2014 5:00 PM To: surgemail-list@netwinsite.com Subject: re: Re: [SurgeMail List] CVE-2014-0160 a. k. a.Heartbleed Right, as far as I can recall all platforms other than solaris x86 were on 9.8 of openssl until a few days ago (because we preferred the stability of that version) then about a week ago we started changing to 1.0.1f on linux and windows to allow the use of some of the better encryption features it provided to protect ya'll from the NSA :-). So to quickly check if you have a problem do this: WINDOWS: tellmail status \| find "OpenSSL" SSL/TLS (OpenSSL 1.0.1f 6 Jan 2014), Allow=() UNIX: tellmail status \| grep "OpenSSL" SSL/TLS (OpenSSL 1.0.1f 6 Jan 2014), Allow=(*) If you see '1.0.1' then you have a problem, if you see 0.9.8... then you are all good and can relax. We will be doing new builds for all affected systems in the next hour or two and will post the builds to this list. ChrisP. Both 6.5a and 6.6a for Solaris x64 are vulnerable. It would be great to get some guidance from NetWin on this. They may, of course, be busy right now. Best, Chris Am 08.04.2014 um 23:35 schrieb Steffen <steffen@land10.nl<mailto:steffen@land10.nl>>: I am running Windows 6.6b-7 (has 0.9.8r) and it is statically linked. So that is save. I hope that Netwin is not supplying a build with 1..0.1f for Windows and other platforms.

archive-list@netwin_co_nz mailing list Archive Index

Previous Message | Next Message


Search website: