Re: Heartbleed warning - Cyrus admin password leak!
On Sat, Apr 12, 2014, at 01:17 AM, Ken Murchison wrote: All, I'm sure you have all heard about the [1]Heartbleed bug by now. If not, you definitely need to read up on it and take appropriate action. A Cyrus admin (not at CMU) has recently run the [2]check-ssl-heartbleed script against his server which was using one of the effected versions of OpenSSL and was easily able to capture usernames and passwords, including the admin password. Again, please check the versions of OpenSSL on your servers and patch or upgrade them ASAP. Note that if you just upgrade the openssl libraries, but don't reinstall your Cyrus binaries, then the system won't automatically restart daemons. You should manually restart Cyrus after you complete your upgrades. Finally, as Ken mentioned, if you have an SSL-enabled Cyrus listening to the internet, you admin password may have been stolen already. Upgrading OpenSSL won't stop future login attempts with that stolen password. You still need to change your admin password AFTER you have upgraded OpenSSL. Cheers, Bron. -- Bron Gondwana br...@fastmail.fm References 1. http://heartbleed.com/ 2. https://github.com/noxxi/p5-scripts/blob/master/check-ssl-heartbleed.pl Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Heartbleed warning - Cyrus admin password leak!
On Sun, Apr 13, 2014, at 12:55 PM, Bron Gondwana wrote: Finally, as Ken mentioned, if you have an SSL-enabled Cyrus listening to the internet, you admin password may have been stolen already. Upgrading OpenSSL won't stop future login attempts with that stolen password. Your private key may also have been stolen. You'll need to regenerate your private key and certificate (or get a new from from your CA), and get the old one revoked. Cheers, Rob N. Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Heartbleed warning - Cyrus admin password leak!
All, I'm sure you have all heard about the Heartbleed http://heartbleed.com/ bug by now. If not, you definitely need to read up on it and take appropriate action. A Cyrus admin (not at CMU) has recently run the check-ssl-heartbleed https://github.com/noxxi/p5-scripts/blob/master/check-ssl-heartbleed.pl script against his server which was using one of the effected versions of OpenSSL and was easily able to capture usernames and passwords, including the admin password. Again, please check the versions of OpenSSL on your servers and patch or upgrade them ASAP. Regards, Ken -- Kenneth Murchison Principal Systems Software Engineer Carnegie Mellon University Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus