[Dovecot] Heartbleed openssl vulnerability?

lst_hoe02 at kwsoft.de lst_hoe02 at kwsoft.de
Tue Apr 8 19:38:01 UTC 2014


Zitat von Jakob Curdes <jc at info-systems.de>:

> Am 08.04.2014 19:00, schrieb John Rowe:
>> Do we know if dovecot is vulnerable to the heartbleed SSL problem?
>>
>> I'm running dovecot-2.0.9 and openssl-1.01, the latter being
>> intrinsically vulnerable. An on-line tool says that my machine is not
>> affected on port 993 but it would be nice to know for sure if we were
>> vulnerable for a while. (Naturally I've blocked it anyway!).
>>
> Usually all programs are linked dynamically to the library, so the  
> vulnerability depends on the library only. If you updated the  
> library today and restarted the service (!!) then it is very likely  
> that your mail installation is not vulnerable any more. Otherwise it  
> is very likely to be vulnerable, regardless what tests say.
> JC

Be aware that your private key might already have leaked without any  
notice. So your best bet is to withdraw your certificates and renew  
all keys/certificates on the affected machines.

Regards

Andreas


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5958 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20140408/f44f1d88/attachment.p7s>


More information about the dovecot mailing list