[qmailtoaster] Re: heartbleed bug

2014-04-11 Thread Eric Shubert 

Pretty much what I suspected.
I hope that sound minds such as this prevail.
Thanks Finn.

--
-Eric 'shubes'

On 04/11/2014 09:31 AM, Finn Buhelt wrote:

Hi.

Just receved this very usefull information regarding the Heartbleed bug
from the nginx maillist :

http://blog.cloudflare.com/answering-the-critical-question-can-you-get-private-ssl-keys-using-heartbleed


Regards,
Finn


Den 10-04-2014 23:10, Dave M skrev:

Hell yes



-Original Message- From: Eric Shubert Sent: Thursday, April
10, 2014 12:52 PM To: [email protected] Subject:
[qmailtoaster] Re: heartbleed bug
Just a reminder, that COS5 hosts aren't susceptible to this bug. It
was introduced in a version of openssl which is later than what COS5
uses.

Are you now glad that you haven't yet upgraded? ;)




-
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]






-
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Re: [qmailtoaster] Re: heartbleed bug

2014-04-11 Thread Finn Buhelt 

Hi.

Just receved this very usefull information regarding the Heartbleed bug 
from the nginx maillist :


http://blog.cloudflare.com/answering-the-critical-question-can-you-get-private-ssl-keys-using-heartbleed

Regards,
Finn


Den 10-04-2014 23:10, Dave M skrev:

Hell yes



-Original Message- From: Eric Shubert Sent: Thursday, April 
10, 2014 12:52 PM To: [email protected] Subject: 
[qmailtoaster] Re: heartbleed bug
Just a reminder, that COS5 hosts aren't susceptible to this bug. It 
was introduced in a version of openssl which is later than what COS5 
uses.


Are you now glad that you haven't yet upgraded? ;)




-
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Re: [qmailtoaster] Re: heartbleed bug

2014-04-10 Thread Eric Broch 
On 4/10/2014 1:52 PM, Eric Shubert wrote:
> Just a reminder, that COS5 hosts aren't susceptible to this bug. It
> was introduced in a version of openssl which is later than what COS5
> uses.
>
> Are you now glad that you haven't yet upgraded? ;)
>
That's the FIRST thing I thought!

-
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Re: [qmailtoaster] Re: heartbleed bug

2014-04-10 Thread Dave M 

Hell yes



-Original Message- 
From: Eric Shubert 
Sent: Thursday, April 10, 2014 12:52 PM 
To: [email protected] 
Subject: [qmailtoaster] Re: heartbleed bug 

Just a reminder, that COS5 hosts aren't susceptible to this bug. It was 
introduced in a version of openssl which is later than what COS5 uses.


Are you now glad that you haven't yet upgraded? ;)

--
-Eric 'shubes'

On 04/10/2014 08:18 AM, Dave M wrote:

Appologies, this is Centos 5.10 installation.

qtp-whatami
qtp-whatami v0.3.8 Thu Apr 10 08:18:25 MDT 2014
REAL_DIST=CentOS
DISTRO=CentOS
OSVER=5.10
QTARCH=i686
QTKERN=2.6.18-371.3.1.el5
BUILD_DIST=cnt50
BUILD_DIR=/usr/src/redhat


Dave M

-Original Message- From: Dave M
Sent: Thursday, April 10, 2014 8:15 AM
To: [email protected]
Subject: Re: [qmailtoaster] Re: heartbleed bug

Hi Eric

What is the correct path as the makecert fails
/var/qmail/bin/makecert.sh: No such file or director

Dave M

-Original Message- From: Eric Shubert
Sent: Wednesday, April 09, 2014 1:01 PM
To: [email protected]
Subject: [qmailtoaster] Re: heartbleed bug

I'd like to add a few details here.

If you use the stock self-signed cert, you should still probably
regenerate this by doing:
# service qmail stop
# mv /var/qmail/control/servercert.pem \
  /var/qmail/control/servercert.pem.compromised
# /var/qmail/bin/makecert.sh
# service qmail start

If you use your own cert/key, then you should know what you need to do
for that, which is beyond the scope of this email.

The dh keys used in the TLS key negotiation process should be generated
automatically every day by cron, which runs the /var/qmail/bin/dh_key
script. You might want to verify the dates of these files:
# ls -l /var/qmail/control/dh*
If these weren't modified today, check your crontab.

Thanks for clarifying this, Steve.






-
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]


-
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[qmailtoaster] Re: heartbleed bug

2014-04-10 Thread Eric Shubert 
Just a reminder, that COS5 hosts aren't susceptible to this bug. It was 
introduced in a version of openssl which is later than what COS5 uses.


Are you now glad that you haven't yet upgraded? ;)

--
-Eric 'shubes'

On 04/10/2014 08:18 AM, Dave M wrote:

Appologies, this is Centos 5.10 installation.

qtp-whatami
qtp-whatami v0.3.8 Thu Apr 10 08:18:25 MDT 2014
REAL_DIST=CentOS
DISTRO=CentOS
OSVER=5.10
QTARCH=i686
QTKERN=2.6.18-371.3.1.el5
BUILD_DIST=cnt50
BUILD_DIR=/usr/src/redhat


Dave M

-Original Message- From: Dave M
Sent: Thursday, April 10, 2014 8:15 AM
To: [email protected]
Subject: Re: [qmailtoaster] Re: heartbleed bug

Hi Eric

What is the correct path as the makecert fails
/var/qmail/bin/makecert.sh: No such file or director

Dave M

-Original Message- From: Eric Shubert
Sent: Wednesday, April 09, 2014 1:01 PM
To: [email protected]
Subject: [qmailtoaster] Re: heartbleed bug

I'd like to add a few details here.

If you use the stock self-signed cert, you should still probably
regenerate this by doing:
# service qmail stop
# mv /var/qmail/control/servercert.pem \
  /var/qmail/control/servercert.pem.compromised
# /var/qmail/bin/makecert.sh
# service qmail start

If you use your own cert/key, then you should know what you need to do
for that, which is beyond the scope of this email.

The dh keys used in the TLS key negotiation process should be generated
automatically every day by cron, which runs the /var/qmail/bin/dh_key
script. You might want to verify the dates of these files:
# ls -l /var/qmail/control/dh*
If these weren't modified today, check your crontab.

Thanks for clarifying this, Steve.






-
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Re: [qmailtoaster] Re: heartbleed bug

2014-04-10 Thread Dave M 

Thanks eric
And evry on involved in this
The COS6 packages will be promoted from testing to current very 


Dave M


-Original Message- 
From: Eric Shubert 
Sent: Thursday, April 10, 2014 8:08 AM 
To: [email protected] 
Subject: [qmailtoaster] Re: heartbleed bug 


Thanks for find this, Dave.

I forgot that I created this script in the new COS6 version by taking 
the code out of the spec file. I didn't realize how soon that'd be 
useful. :)


If anyone's wondering, the script should work the same on COS5.

I just looked at the code, and noticed that it uses 1024-bit key. I'll 
change that to 2048-bit. Everyone who is running the COS6 qmail package 
with stock servercert.pem file should change their makecert.sh script 
before running it.


Thanks.

P.S. The COS6 packages will be promoted from testing to current very 
soon. :)


--
-Eric 'shubes'

On 04/10/2014 08:24 AM, Dave M wrote:

Did some searching,

would this be correct
https://github.com/QMailToaster/qmail/blob/master/makecert.sh



-Original Message- From: Dave M
Sent: Thursday, April 10, 2014 8:18 AM
To: [email protected]
Subject: Re: [qmailtoaster] Re: heartbleed bug

Appologies, this is Centos 5.10 installation.

qtp-whatami
qtp-whatami v0.3.8 Thu Apr 10 08:18:25 MDT 2014
REAL_DIST=CentOS
DISTRO=CentOS
OSVER=5.10
QTARCH=i686
QTKERN=2.6.18-371.3.1.el5
BUILD_DIST=cnt50
BUILD_DIR=/usr/src/redhat


Dave M

-Original Message- From: Dave M
Sent: Thursday, April 10, 2014 8:15 AM
To: [email protected]
Subject: Re: [qmailtoaster] Re: heartbleed bug

Hi Eric

What is the correct path as the makecert fails
/var/qmail/bin/makecert.sh: No such file or director

Dave M

-Original Message- From: Eric Shubert
Sent: Wednesday, April 09, 2014 1:01 PM
To: [email protected]
Subject: [qmailtoaster] Re: heartbleed bug

I'd like to add a few details here.

If you use the stock self-signed cert, you should still probably
regenerate this by doing:
# service qmail stop
# mv /var/qmail/control/servercert.pem \
  /var/qmail/control/servercert.pem.compromised
# /var/qmail/bin/makecert.sh
# service qmail start

If you use your own cert/key, then you should know what you need to do
for that, which is beyond the scope of this email.

The dh keys used in the TLS key negotiation process should be generated
automatically every day by cron, which runs the /var/qmail/bin/dh_key
script. You might want to verify the dates of these files:
# ls -l /var/qmail/control/dh*
If these weren't modified today, check your crontab.

Thanks for clarifying this, Steve.






-
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]


-
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[qmailtoaster] Re: heartbleed bug

2014-04-10 Thread Eric Shubert 

Thanks for find this, Dave.

I forgot that I created this script in the new COS6 version by taking 
the code out of the spec file. I didn't realize how soon that'd be 
useful. :)


If anyone's wondering, the script should work the same on COS5.

I just looked at the code, and noticed that it uses 1024-bit key. I'll 
change that to 2048-bit. Everyone who is running the COS6 qmail package 
with stock servercert.pem file should change their makecert.sh script 
before running it.


Thanks.

P.S. The COS6 packages will be promoted from testing to current very 
soon. :)


--
-Eric 'shubes'

On 04/10/2014 08:24 AM, Dave M wrote:

Did some searching,

would this be correct
https://github.com/QMailToaster/qmail/blob/master/makecert.sh



-Original Message- From: Dave M
Sent: Thursday, April 10, 2014 8:18 AM
To: [email protected]
Subject: Re: [qmailtoaster] Re: heartbleed bug

Appologies, this is Centos 5.10 installation.

qtp-whatami
qtp-whatami v0.3.8 Thu Apr 10 08:18:25 MDT 2014
REAL_DIST=CentOS
DISTRO=CentOS
OSVER=5.10
QTARCH=i686
QTKERN=2.6.18-371.3.1.el5
BUILD_DIST=cnt50
BUILD_DIR=/usr/src/redhat


Dave M

-Original Message- From: Dave M
Sent: Thursday, April 10, 2014 8:15 AM
To: [email protected]
Subject: Re: [qmailtoaster] Re: heartbleed bug

Hi Eric

What is the correct path as the makecert fails
/var/qmail/bin/makecert.sh: No such file or director

Dave M

-Original Message- From: Eric Shubert
Sent: Wednesday, April 09, 2014 1:01 PM
To: [email protected]
Subject: [qmailtoaster] Re: heartbleed bug

I'd like to add a few details here.

If you use the stock self-signed cert, you should still probably
regenerate this by doing:
# service qmail stop
# mv /var/qmail/control/servercert.pem \
  /var/qmail/control/servercert.pem.compromised
# /var/qmail/bin/makecert.sh
# service qmail start

If you use your own cert/key, then you should know what you need to do
for that, which is beyond the scope of this email.

The dh keys used in the TLS key negotiation process should be generated
automatically every day by cron, which runs the /var/qmail/bin/dh_key
script. You might want to verify the dates of these files:
# ls -l /var/qmail/control/dh*
If these weren't modified today, check your crontab.

Thanks for clarifying this, Steve.






-
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Re: [qmailtoaster] Re: heartbleed bug

2014-04-10 Thread Dave M 

Did some searching,

would this be correct
https://github.com/QMailToaster/qmail/blob/master/makecert.sh



-Original Message- 
From: Dave M

Sent: Thursday, April 10, 2014 8:18 AM
To: [email protected]
Subject: Re: [qmailtoaster] Re: heartbleed bug

Appologies, this is Centos 5.10 installation.

qtp-whatami
qtp-whatami v0.3.8 Thu Apr 10 08:18:25 MDT 2014
REAL_DIST=CentOS
DISTRO=CentOS
OSVER=5.10
QTARCH=i686
QTKERN=2.6.18-371.3.1.el5
BUILD_DIST=cnt50
BUILD_DIR=/usr/src/redhat


Dave M

-Original Message- 
From: Dave M

Sent: Thursday, April 10, 2014 8:15 AM
To: [email protected]
Subject: Re: [qmailtoaster] Re: heartbleed bug

Hi Eric

What is the correct path as the makecert fails
/var/qmail/bin/makecert.sh: No such file or director

Dave M

-Original Message- 
From: Eric Shubert

Sent: Wednesday, April 09, 2014 1:01 PM
To: [email protected]
Subject: [qmailtoaster] Re: heartbleed bug

I'd like to add a few details here.

If you use the stock self-signed cert, you should still probably
regenerate this by doing:
# service qmail stop
# mv /var/qmail/control/servercert.pem \
 /var/qmail/control/servercert.pem.compromised
# /var/qmail/bin/makecert.sh
# service qmail start

If you use your own cert/key, then you should know what you need to do
for that, which is beyond the scope of this email.

The dh keys used in the TLS key negotiation process should be generated
automatically every day by cron, which runs the /var/qmail/bin/dh_key
script. You might want to verify the dates of these files:
# ls -l /var/qmail/control/dh*
If these weren't modified today, check your crontab.

Thanks for clarifying this, Steve.

--
-Eric 'shubes'

On 04/08/2014 06:52 PM, Steve Huff wrote:
hey folks - please be aware that simply patching OpenSSL is NOT sufficient 
to mitigate the risk.  if you have been using a RHEL/CentOS 6 system to 
host services secured by SSL, then you should consider your keys 
compromised, revoke your keys, and deploy new keys and new certs.


read http://heartbleed.com to learn more.

-steve

On Apr 8, 2014, at 7:57 PM, Cecil Yother, Jr.  wrote:


FYI,  This fix has only come out in the past few days.
On 04/08/2014 04:54 PM, Eric Shubert wrote:

On 04/08/2014 01:04 PM, Peter Peterse wrote:

Finn Buhelt schreef op 8-4-2014 21:53:

Hi list

Will this affects QMT ? ( latest release uses openssl-1.01 which is 
hit)


"New security holes are always showing up. The latest one, the
so-called <http://heartbleed.com/>Heartbleed Bug 
<http://heartbleed.com/>

  in the OpenSSL <https://www.openssl.org/> cryptographic library, is
an especially bad one"  - taken from zdnet.com


Regards,
Finn


Hi Finn,

I've read CentOS 6 is affected and CentOS 5 not.

CentOS 5.10 contains OpenSSL 0.9.8e

Regards,
Peter


RHEL/CentOS has fixed this in openssl-1.0.1e-16.el6_5.7
The fixed package was in all of the mirrors I happened to catch.

To check if your package has the fix applied, you can:
$ rpm -q openssl --changelog | grep CVE-2014-0160
If you get nothing back (and you're on COS6) you should (yum) update 
your openssl package.




--







-
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]


-
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]


-
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]


-
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Re: [qmailtoaster] Re: heartbleed bug

2014-04-10 Thread Dave M 

Appologies, this is Centos 5.10 installation.

qtp-whatami
qtp-whatami v0.3.8 Thu Apr 10 08:18:25 MDT 2014
REAL_DIST=CentOS
DISTRO=CentOS
OSVER=5.10
QTARCH=i686
QTKERN=2.6.18-371.3.1.el5
BUILD_DIST=cnt50
BUILD_DIR=/usr/src/redhat


Dave M

-Original Message- 
From: Dave M

Sent: Thursday, April 10, 2014 8:15 AM
To: [email protected]
Subject: Re: [qmailtoaster] Re: heartbleed bug

Hi Eric

What is the correct path as the makecert fails
/var/qmail/bin/makecert.sh: No such file or director

Dave M

-Original Message- 
From: Eric Shubert

Sent: Wednesday, April 09, 2014 1:01 PM
To: [email protected]
Subject: [qmailtoaster] Re: heartbleed bug

I'd like to add a few details here.

If you use the stock self-signed cert, you should still probably
regenerate this by doing:
# service qmail stop
# mv /var/qmail/control/servercert.pem \
 /var/qmail/control/servercert.pem.compromised
# /var/qmail/bin/makecert.sh
# service qmail start

If you use your own cert/key, then you should know what you need to do
for that, which is beyond the scope of this email.

The dh keys used in the TLS key negotiation process should be generated
automatically every day by cron, which runs the /var/qmail/bin/dh_key
script. You might want to verify the dates of these files:
# ls -l /var/qmail/control/dh*
If these weren't modified today, check your crontab.

Thanks for clarifying this, Steve.

--
-Eric 'shubes'

On 04/08/2014 06:52 PM, Steve Huff wrote:
hey folks - please be aware that simply patching OpenSSL is NOT sufficient 
to mitigate the risk.  if you have been using a RHEL/CentOS 6 system to 
host services secured by SSL, then you should consider your keys 
compromised, revoke your keys, and deploy new keys and new certs.


read http://heartbleed.com to learn more.

-steve

On Apr 8, 2014, at 7:57 PM, Cecil Yother, Jr.  wrote:


FYI,  This fix has only come out in the past few days.
On 04/08/2014 04:54 PM, Eric Shubert wrote:

On 04/08/2014 01:04 PM, Peter Peterse wrote:

Finn Buhelt schreef op 8-4-2014 21:53:

Hi list

Will this affects QMT ? ( latest release uses openssl-1.01 which is 
hit)


"New security holes are always showing up. The latest one, the
so-called <http://heartbleed.com/>Heartbleed Bug 
<http://heartbleed.com/>

  in the OpenSSL <https://www.openssl.org/> cryptographic library, is
an especially bad one"  - taken from zdnet.com


Regards,
Finn


Hi Finn,

I've read CentOS 6 is affected and CentOS 5 not.

CentOS 5.10 contains OpenSSL 0.9.8e

Regards,
Peter


RHEL/CentOS has fixed this in openssl-1.0.1e-16.el6_5.7
The fixed package was in all of the mirrors I happened to catch.

To check if your package has the fix applied, you can:
$ rpm -q openssl --changelog | grep CVE-2014-0160
If you get nothing back (and you're on COS6) you should (yum) update 
your openssl package.




--







-
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]


-
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]


-
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Re: [qmailtoaster] Re: heartbleed bug

2014-04-10 Thread Dave M 

Hi Eric

What is the correct path as the makecert fails
/var/qmail/bin/makecert.sh: No such file or director

Dave M

-Original Message- 
From: Eric Shubert

Sent: Wednesday, April 09, 2014 1:01 PM
To: [email protected]
Subject: [qmailtoaster] Re: heartbleed bug

I'd like to add a few details here.

If you use the stock self-signed cert, you should still probably
regenerate this by doing:
# service qmail stop
# mv /var/qmail/control/servercert.pem \
 /var/qmail/control/servercert.pem.compromised
# /var/qmail/bin/makecert.sh
# service qmail start

If you use your own cert/key, then you should know what you need to do
for that, which is beyond the scope of this email.

The dh keys used in the TLS key negotiation process should be generated
automatically every day by cron, which runs the /var/qmail/bin/dh_key
script. You might want to verify the dates of these files:
# ls -l /var/qmail/control/dh*
If these weren't modified today, check your crontab.

Thanks for clarifying this, Steve.

--
-Eric 'shubes'

On 04/08/2014 06:52 PM, Steve Huff wrote:
hey folks - please be aware that simply patching OpenSSL is NOT sufficient 
to mitigate the risk.  if you have been using a RHEL/CentOS 6 system to 
host services secured by SSL, then you should consider your keys 
compromised, revoke your keys, and deploy new keys and new certs.


read http://heartbleed.com to learn more.

-steve

On Apr 8, 2014, at 7:57 PM, Cecil Yother, Jr.  wrote:


FYI,  This fix has only come out in the past few days.
On 04/08/2014 04:54 PM, Eric Shubert wrote:

On 04/08/2014 01:04 PM, Peter Peterse wrote:

Finn Buhelt schreef op 8-4-2014 21:53:

Hi list

Will this affects QMT ? ( latest release uses openssl-1.01 which is 
hit)


"New security holes are always showing up. The latest one, the
so-called <http://heartbleed.com/>Heartbleed Bug 
<http://heartbleed.com/>

  in the OpenSSL <https://www.openssl.org/> cryptographic library, is
an especially bad one"  - taken from zdnet.com


Regards,
Finn


Hi Finn,

I've read CentOS 6 is affected and CentOS 5 not.

CentOS 5.10 contains OpenSSL 0.9.8e

Regards,
Peter


RHEL/CentOS has fixed this in openssl-1.0.1e-16.el6_5.7
The fixed package was in all of the mirrors I happened to catch.

To check if your package has the fix applied, you can:
$ rpm -q openssl --changelog | grep CVE-2014-0160
If you get nothing back (and you're on COS6) you should (yum) update 
your openssl package.




--







-
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]


-
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[qmailtoaster] Re: heartbleed bug

2014-04-09 Thread Eric Shubert 

I'd like to add a few details here.

If you use the stock self-signed cert, you should still probably 
regenerate this by doing:

# service qmail stop
# mv /var/qmail/control/servercert.pem \
 /var/qmail/control/servercert.pem.compromised
# /var/qmail/bin/makecert.sh
# service qmail start

If you use your own cert/key, then you should know what you need to do 
for that, which is beyond the scope of this email.


The dh keys used in the TLS key negotiation process should be generated 
automatically every day by cron, which runs the /var/qmail/bin/dh_key 
script. You might want to verify the dates of these files:

# ls -l /var/qmail/control/dh*
If these weren't modified today, check your crontab.

Thanks for clarifying this, Steve.

--
-Eric 'shubes'

On 04/08/2014 06:52 PM, Steve Huff wrote:

hey folks - please be aware that simply patching OpenSSL is NOT sufficient to 
mitigate the risk.  if you have been using a RHEL/CentOS 6 system to host 
services secured by SSL, then you should consider your keys compromised, revoke 
your keys, and deploy new keys and new certs.

read http://heartbleed.com to learn more.

-steve

On Apr 8, 2014, at 7:57 PM, Cecil Yother, Jr.  wrote:


FYI,  This fix has only come out in the past few days.
On 04/08/2014 04:54 PM, Eric Shubert wrote:

On 04/08/2014 01:04 PM, Peter Peterse wrote:

Finn Buhelt schreef op 8-4-2014 21:53:

Hi list

Will this affects QMT ? ( latest release uses openssl-1.01 which is hit)

"New security holes are always showing up. The latest one, the
so-called Heartbleed Bug 
  in the OpenSSL  cryptographic library, is
an especially bad one"  - taken from zdnet.com


Regards,
Finn


Hi Finn,

I've read CentOS 6 is affected and CentOS 5 not.

CentOS 5.10 contains OpenSSL 0.9.8e

Regards,
Peter


RHEL/CentOS has fixed this in openssl-1.0.1e-16.el6_5.7
The fixed package was in all of the mirrors I happened to catch.

To check if your package has the fix applied, you can:
$ rpm -q openssl --changelog | grep CVE-2014-0160
If you get nothing back (and you're on COS6) you should (yum) update your 
openssl package.



--







-
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Re: [qmailtoaster] Re: heartbleed bug

2014-04-08 Thread Cecil Yother, Jr. 

  
  
FYI,  This fix has only come out in the past few days.
On 04/08/2014 04:54 PM, Eric Shubert
  wrote:

On
  04/08/2014 01:04 PM, Peter Peterse wrote:
  
  Finn Buhelt schreef op 8-4-2014 21:53:

Hi list
  
  
  Will this affects QMT ? ( latest release uses openssl-1.01
  which is hit)
  
  
  "New security holes are always showing up. The latest one, the
  
  so-called Heartbleed Bug
  
  
   in the OpenSSL  cryptographic
  library, is
  
  an especially bad one"  - taken from zdnet.com
  
  
  
  Regards,
  
  Finn
  


Hi Finn,


I've read CentOS 6 is affected and CentOS 5 not.


CentOS 5.10 contains OpenSSL 0.9.8e


Regards,

Peter

  
  
  RHEL/CentOS has fixed this in openssl-1.0.1e-16.el6_5.7
  
  The fixed package was in all of the mirrors I happened to catch.
  
  
  To check if your package has the fix applied, you can:
  
  $ rpm -q openssl --changelog | grep CVE-2014-0160
  
  If you get nothing back (and you're on COS6) you should (yum)
  update your openssl package.
  
  


--

[qmailtoaster] Re: heartbleed bug

2014-04-08 Thread Eric Shubert 

On 04/08/2014 01:04 PM, Peter Peterse wrote:

Finn Buhelt schreef op 8-4-2014 21:53:

Hi list

Will this affects QMT ? ( latest release uses openssl-1.01 which is hit)

"New security holes are always showing up. The latest one, the
so-called Heartbleed Bug 
 in the OpenSSL  cryptographic library, is
an especially bad one"  - taken from zdnet.com


Regards,
Finn


Hi Finn,

I've read CentOS 6 is affected and CentOS 5 not.

CentOS 5.10 contains OpenSSL 0.9.8e

Regards,
Peter


Thanks guys for pointing this out.

--
-Eric 'shubes'


-
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[qmailtoaster] Re: heartbleed bug

2014-04-08 Thread Eric Shubert 

On 04/08/2014 01:04 PM, Peter Peterse wrote:

Finn Buhelt schreef op 8-4-2014 21:53:

Hi list

Will this affects QMT ? ( latest release uses openssl-1.01 which is hit)

"New security holes are always showing up. The latest one, the
so-called Heartbleed Bug 
 in the OpenSSL  cryptographic library, is
an especially bad one"  - taken from zdnet.com


Regards,
Finn


Hi Finn,

I've read CentOS 6 is affected and CentOS 5 not.

CentOS 5.10 contains OpenSSL 0.9.8e

Regards,
Peter


RHEL/CentOS has fixed this in openssl-1.0.1e-16.el6_5.7
The fixed package was in all of the mirrors I happened to catch.

To check if your package has the fix applied, you can:
$ rpm -q openssl --changelog | grep CVE-2014-0160
If you get nothing back (and you're on COS6) you should (yum) update 
your openssl package.


--
-Eric 'shubes'

-
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]