[Dovecot] Heartbleed openssl vulnerability?

Reindl Harald h.reindl at thelounge.net
Wed Apr 9 17:27:08 UTC 2014


Am 09.04.2014 19:18, schrieb Robert Schetterer:
> Am 09.04.2014 19:10, schrieb Reindl Harald:
>>
>> Am 09.04.2014 19:03, schrieb Robert Schetterer:
>>> Am 09.04.2014 18:42, schrieb Charles Marcus:
>>>> What are the ramifications of changing this on a production server? Any
>>>> possible problems/gotchas? user impact?
>>>
>>> in my understanding change ssl key and crts , do all needed ssl updates
>>> keep performance mode, if unsure change all passwords too
>>
>> passwords too, in security mode only keys would have been
>> affected and since this is a attack which no single
>> indication that it ever happened on a machine there
>> is no likely or unlikely
> 
> there should no issue if you havent used vulnerable openssl version
> i.e ubuntu lucid has 0.9.x which is not reported vulnerable
> anyway ,change passwords from time to time is always clever

if you you don't have used a vulnerable openssl you are not affected
at all - if you used than private keys and certs are not your only
problem, there are enough articles in the meantime explaining why

"change passwords from time to time is always clever" is a strawmans
argument with no context to the issue, forcing people to change their
passwords all the time for no good reasons leads mostly to completly
insecured passwords to remember them easier or have them on a sticky
on the screen or under the keyboard

the word "counterproductive" describes that policies perfectly

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20140409/ebef9746/attachment.sig>


More information about the dovecot mailing list