[Dovecot] Heartbleed openssl vulnerability?

Reindl Harald h.reindl at thelounge.net
Tue Apr 8 19:42:20 UTC 2014



Am 08.04.2014 21:38, schrieb lst_hoe02 at kwsoft.de:
> Zitat von Jakob Curdes <jc at info-systems.de>:
> 
>> Am 08.04.2014 19:00, schrieb John Rowe:
>>> Do we know if dovecot is vulnerable to the heartbleed SSL problem?
>>>
>>> I'm running dovecot-2.0.9 and openssl-1.01, the latter being
>>> intrinsically vulnerable. An on-line tool says that my machine is not
>>> affected on port 993 but it would be nice to know for sure if we were
>>> vulnerable for a while. (Naturally I've blocked it anyway!).
>>>
>> Usually all programs are linked dynamically to the library, so the vulnerability depends on the library only. If
>> you updated the library today and restarted the service (!!) then it is very likely that your mail installation
>> is not vulnerable any more. Otherwise it is very likely to be vulnerable, regardless what tests say.
>> JC
> 
> Be aware that your private key might already have leaked without any notice. So your best bet is to withdraw your
> certificates and renew all keys/certificates on the affected machines.

correct, that was my whole-day job from 10:00 AM to 16:00 PM for 10 certificates
followed by openvpn-keys, better safe than sorry
luckily some wildcard certs in the meantime instead a ton single ones

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20140408/22fab7a0/attachment.sig>


More information about the dovecot mailing list