Linux64 in place, tests good.
Now to conduct full testing...
LCR Computer Services, Inc.
Thanks for spotting that, looks like we updated that
build in june last year for some reason. We'll check the
others to be sure.
Full distributions will be done shortly but the above
should be sufficient for anyone who needs a fix in a
hurry.
(stop surgemail, replace the binary, start surgemail)
ChrisP.
Chris,
If all other platforms were running OpenSSL v0.98 until
a few
days ago, why is our release (SurgeMail Version
6.5b-52, Built
Jan 11 2014 10:30:54, Platform Linux_64 (Surgeweb
Enabled))
running 1.0.1e?
mail1:~# tellmail status | grep OpenSSL
SSL/TLS (OpenSSL 1.0.1e 11 Feb 2013), Allow=(*)
mail1:~#
Perhaps because we got a custom build?
Regards,
Frank
Sent: Tuesday, April 08, 2014 5:00 PM
Subject: re: Re: [SurgeMail List] CVE-2014-0160 a. k.
a.Heartbleed
Right, as far as I can recall all platforms other than
solaris
x86 were on 9.8 of openssl until a few days ago
(because we
preferred the stability of that version) then about a
week ago we
started changing to 1.0.1f on linux and windows to
allow the use
of some of the better encryption features it provided
to protect
ya'll from the NSA :-).
So to quickly check if you have a problem do this:
WINDOWS: tellmail status | find "OpenSSL"
SSL/TLS (OpenSSL 1.0.1f 6 Jan 2014), Allow=(*)
UNIX: tellmail status | grep "OpenSSL"
SSL/TLS (OpenSSL 1.0.1f 6 Jan 2014), Allow=(*)
If you see '1.0.1' then you have a problem, if you see
0.9.8...
then you are all good and can relax.
We will be doing new builds for all affected systems in
the next
hour or two and will post the
builds to this list.
ChrisP.
Both 6.5a and 6.6a for Solaris x64 are vulnerable.
It would be great to get some guidance from NetWin on
this.
They may, of course, be busy right now.
Best,
Chris
Am 08.04.2014 um 23:35 schrieb Steffen
I am running Windows 6.6b-7 (has 0.9.8r) and it is
statically
linked. So that is save. I hope that Netwin is not
supplying a
build with 1..0.1f for Windows and other platforms.
