Zitat von Jakob Curdes jc@info-systems.de:
Am 08.04.2014 19:00, schrieb John Rowe:
Do we know if dovecot is vulnerable to the heartbleed SSL problem?
I'm running dovecot-2.0.9 and openssl-1.01, the latter being intrinsically vulnerable. An on-line tool says that my machine is not affected on port 993 but it would be nice to know for sure if we were vulnerable for a while. (Naturally I've blocked it anyway!).
Usually all programs are linked dynamically to the library, so the
vulnerability depends on the library only. If you updated the
library today and restarted the service (!!) then it is very likely
that your mail installation is not vulnerable any more. Otherwise it
is very likely to be vulnerable, regardless what tests say. JC
Be aware that your private key might already have leaked without any
notice. So your best bet is to withdraw your certificates and renew
all keys/certificates on the affected machines.
Regards
Andreas