[Dovecot] Heartbleed openssl vulnerability?
lst_hoe02 at kwsoft.de
lst_hoe02 at kwsoft.de
Tue Apr 8 19:38:01 UTC 2014
Zitat von Jakob Curdes <jc at info-systems.de>:
> Am 08.04.2014 19:00, schrieb John Rowe:
>> Do we know if dovecot is vulnerable to the heartbleed SSL problem?
>>
>> I'm running dovecot-2.0.9 and openssl-1.01, the latter being
>> intrinsically vulnerable. An on-line tool says that my machine is not
>> affected on port 993 but it would be nice to know for sure if we were
>> vulnerable for a while. (Naturally I've blocked it anyway!).
>>
> Usually all programs are linked dynamically to the library, so the
> vulnerability depends on the library only. If you updated the
> library today and restarted the service (!!) then it is very likely
> that your mail installation is not vulnerable any more. Otherwise it
> is very likely to be vulnerable, regardless what tests say.
> JC
Be aware that your private key might already have leaked without any
notice. So your best bet is to withdraw your certificates and renew
all keys/certificates on the affected machines.
Regards
Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5958 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20140408/f44f1d88/attachment.p7s>
More information about the dovecot
mailing list