I'd like to add a few details here.
If you use the stock self-signed cert, you should still probably
regenerate this by doing:
# service qmail stop
# mv /var/qmail/control/servercert.pem \
/var/qmail/control/servercert.pem.compromised
# /var/qmail/bin/makecert.sh
# service qmail start
If you use your own cert/key, then you should know what you need to do
for that, which is beyond the scope of this email.
The dh keys used in the TLS key negotiation process should be generated
automatically every day by cron, which runs the /var/qmail/bin/dh_key
script. You might want to verify the dates of these files:
# ls -l /var/qmail/control/dh*
If these weren't modified today, check your crontab.
Thanks for clarifying this, Steve.
--
-Eric 'shubes'
On 04/08/2014 06:52 PM, Steve Huff wrote:
hey folks - please be aware that simply patching OpenSSL is NOT sufficient to
mitigate the risk. if you have been using a RHEL/CentOS 6 system to host
services secured by SSL, then you should consider your keys compromised, revoke
your keys, and deploy new keys and new certs.
read http://heartbleed.com to learn more.
-steve
On Apr 8, 2014, at 7:57 PM, Cecil Yother, Jr. <[email protected]> wrote:
FYI, This fix has only come out in the past few days.
On 04/08/2014 04:54 PM, Eric Shubert wrote:
On 04/08/2014 01:04 PM, Peter Peterse wrote:
Finn Buhelt schreef op 8-4-2014 21:53:
Hi list
Will this affects QMT ? ( latest release uses openssl-1.01 which is hit)
"New security holes are always showing up. The latest one, the
so-called <http://heartbleed.com/>Heartbleed Bug <http://heartbleed.com/>
in the OpenSSL <https://www.openssl.org/> cryptographic library, is
an especially bad one" - taken from zdnet.com
Regards,
Finn
Hi Finn,
I've read CentOS 6 is affected and CentOS 5 not.
CentOS 5.10 contains OpenSSL 0.9.8e
Regards,
Peter
RHEL/CentOS has fixed this in openssl-1.0.1e-16.el6_5.7
The fixed package was in all of the mirrors I happened to catch.
To check if your package has the fix applied, you can:
$ rpm -q openssl --changelog | grep CVE-2014-0160
If you get nothing back (and you're on COS6) you should (yum) update your
openssl package.
--
<cj's_sig.png>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
