Re: [qmailtoaster] Re: heartbleed bug
Hi. Just receved this very usefull information regarding the Heartbleed bug from the nginx maillist : http://blog.cloudflare.com/answering-the-critical-question-can-you-get-private-ssl-keys-using-heartbleed Regards, Finn Den 10-04-2014 23:10, Dave M skrev: Hell yes -Original Message- From: Eric Shubert Sent: Thursday, April 10, 2014 12:52 PM To: qmailtoaster-list@qmailtoaster.com Subject: [qmailtoaster] Re: heartbleed bug Just a reminder, that COS5 hosts aren't susceptible to this bug. It was introduced in a version of openssl which is later than what COS5 uses. Are you now glad that you haven't yet upgraded? ;) - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: heartbleed bug
Hi Eric What is the correct path as the makecert fails /var/qmail/bin/makecert.sh: No such file or director Dave M -Original Message- From: Eric Shubert Sent: Wednesday, April 09, 2014 1:01 PM To: qmailtoaster-list@qmailtoaster.com Subject: [qmailtoaster] Re: heartbleed bug I'd like to add a few details here. If you use the stock self-signed cert, you should still probably regenerate this by doing: # service qmail stop # mv /var/qmail/control/servercert.pem \ /var/qmail/control/servercert.pem.compromised # /var/qmail/bin/makecert.sh # service qmail start If you use your own cert/key, then you should know what you need to do for that, which is beyond the scope of this email. The dh keys used in the TLS key negotiation process should be generated automatically every day by cron, which runs the /var/qmail/bin/dh_key script. You might want to verify the dates of these files: # ls -l /var/qmail/control/dh* If these weren't modified today, check your crontab. Thanks for clarifying this, Steve. -- -Eric 'shubes' On 04/08/2014 06:52 PM, Steve Huff wrote: hey folks - please be aware that simply patching OpenSSL is NOT sufficient to mitigate the risk. if you have been using a RHEL/CentOS 6 system to host services secured by SSL, then you should consider your keys compromised, revoke your keys, and deploy new keys and new certs. read http://heartbleed.com to learn more. -steve On Apr 8, 2014, at 7:57 PM, Cecil Yother, Jr. c...@yother.com wrote: FYI, This fix has only come out in the past few days. On 04/08/2014 04:54 PM, Eric Shubert wrote: On 04/08/2014 01:04 PM, Peter Peterse wrote: Finn Buhelt schreef op 8-4-2014 21:53: Hi list Will this affects QMT ? ( latest release uses openssl-1.01 which is hit) New security holes are always showing up. The latest one, the so-called http://heartbleed.com/Heartbleed Bug http://heartbleed.com/ in the OpenSSL https://www.openssl.org/ cryptographic library, is an especially bad one - taken from zdnet.com Regards, Finn Hi Finn, I've read CentOS 6 is affected and CentOS 5 not. CentOS 5.10 contains OpenSSL 0.9.8e Regards, Peter RHEL/CentOS has fixed this in openssl-1.0.1e-16.el6_5.7 The fixed package was in all of the mirrors I happened to catch. To check if your package has the fix applied, you can: $ rpm -q openssl --changelog | grep CVE-2014-0160 If you get nothing back (and you're on COS6) you should (yum) update your openssl package. -- cj's_sig.png - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: heartbleed bug
Did some searching, would this be correct https://github.com/QMailToaster/qmail/blob/master/makecert.sh -Original Message- From: Dave M Sent: Thursday, April 10, 2014 8:18 AM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] Re: heartbleed bug Appologies, this is Centos 5.10 installation. qtp-whatami qtp-whatami v0.3.8 Thu Apr 10 08:18:25 MDT 2014 REAL_DIST=CentOS DISTRO=CentOS OSVER=5.10 QTARCH=i686 QTKERN=2.6.18-371.3.1.el5 BUILD_DIST=cnt50 BUILD_DIR=/usr/src/redhat Dave M -Original Message- From: Dave M Sent: Thursday, April 10, 2014 8:15 AM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] Re: heartbleed bug Hi Eric What is the correct path as the makecert fails /var/qmail/bin/makecert.sh: No such file or director Dave M -Original Message- From: Eric Shubert Sent: Wednesday, April 09, 2014 1:01 PM To: qmailtoaster-list@qmailtoaster.com Subject: [qmailtoaster] Re: heartbleed bug I'd like to add a few details here. If you use the stock self-signed cert, you should still probably regenerate this by doing: # service qmail stop # mv /var/qmail/control/servercert.pem \ /var/qmail/control/servercert.pem.compromised # /var/qmail/bin/makecert.sh # service qmail start If you use your own cert/key, then you should know what you need to do for that, which is beyond the scope of this email. The dh keys used in the TLS key negotiation process should be generated automatically every day by cron, which runs the /var/qmail/bin/dh_key script. You might want to verify the dates of these files: # ls -l /var/qmail/control/dh* If these weren't modified today, check your crontab. Thanks for clarifying this, Steve. -- -Eric 'shubes' On 04/08/2014 06:52 PM, Steve Huff wrote: hey folks - please be aware that simply patching OpenSSL is NOT sufficient to mitigate the risk. if you have been using a RHEL/CentOS 6 system to host services secured by SSL, then you should consider your keys compromised, revoke your keys, and deploy new keys and new certs. read http://heartbleed.com to learn more. -steve On Apr 8, 2014, at 7:57 PM, Cecil Yother, Jr. c...@yother.com wrote: FYI, This fix has only come out in the past few days. On 04/08/2014 04:54 PM, Eric Shubert wrote: On 04/08/2014 01:04 PM, Peter Peterse wrote: Finn Buhelt schreef op 8-4-2014 21:53: Hi list Will this affects QMT ? ( latest release uses openssl-1.01 which is hit) New security holes are always showing up. The latest one, the so-called http://heartbleed.com/Heartbleed Bug http://heartbleed.com/ in the OpenSSL https://www.openssl.org/ cryptographic library, is an especially bad one - taken from zdnet.com Regards, Finn Hi Finn, I've read CentOS 6 is affected and CentOS 5 not. CentOS 5.10 contains OpenSSL 0.9.8e Regards, Peter RHEL/CentOS has fixed this in openssl-1.0.1e-16.el6_5.7 The fixed package was in all of the mirrors I happened to catch. To check if your package has the fix applied, you can: $ rpm -q openssl --changelog | grep CVE-2014-0160 If you get nothing back (and you're on COS6) you should (yum) update your openssl package. -- cj's_sig.png - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: heartbleed bug
Thanks eric And evry on involved in this The COS6 packages will be promoted from testing to current very Dave M -Original Message- From: Eric Shubert Sent: Thursday, April 10, 2014 8:08 AM To: qmailtoaster-list@qmailtoaster.com Subject: [qmailtoaster] Re: heartbleed bug Thanks for find this, Dave. I forgot that I created this script in the new COS6 version by taking the code out of the spec file. I didn't realize how soon that'd be useful. :) If anyone's wondering, the script should work the same on COS5. I just looked at the code, and noticed that it uses 1024-bit key. I'll change that to 2048-bit. Everyone who is running the COS6 qmail package with stock servercert.pem file should change their makecert.sh script before running it. Thanks. P.S. The COS6 packages will be promoted from testing to current very soon. :) -- -Eric 'shubes' On 04/10/2014 08:24 AM, Dave M wrote: Did some searching, would this be correct https://github.com/QMailToaster/qmail/blob/master/makecert.sh -Original Message- From: Dave M Sent: Thursday, April 10, 2014 8:18 AM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] Re: heartbleed bug Appologies, this is Centos 5.10 installation. qtp-whatami qtp-whatami v0.3.8 Thu Apr 10 08:18:25 MDT 2014 REAL_DIST=CentOS DISTRO=CentOS OSVER=5.10 QTARCH=i686 QTKERN=2.6.18-371.3.1.el5 BUILD_DIST=cnt50 BUILD_DIR=/usr/src/redhat Dave M -Original Message- From: Dave M Sent: Thursday, April 10, 2014 8:15 AM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] Re: heartbleed bug Hi Eric What is the correct path as the makecert fails /var/qmail/bin/makecert.sh: No such file or director Dave M -Original Message- From: Eric Shubert Sent: Wednesday, April 09, 2014 1:01 PM To: qmailtoaster-list@qmailtoaster.com Subject: [qmailtoaster] Re: heartbleed bug I'd like to add a few details here. If you use the stock self-signed cert, you should still probably regenerate this by doing: # service qmail stop # mv /var/qmail/control/servercert.pem \ /var/qmail/control/servercert.pem.compromised # /var/qmail/bin/makecert.sh # service qmail start If you use your own cert/key, then you should know what you need to do for that, which is beyond the scope of this email. The dh keys used in the TLS key negotiation process should be generated automatically every day by cron, which runs the /var/qmail/bin/dh_key script. You might want to verify the dates of these files: # ls -l /var/qmail/control/dh* If these weren't modified today, check your crontab. Thanks for clarifying this, Steve. - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: heartbleed bug
Hell yes -Original Message- From: Eric Shubert Sent: Thursday, April 10, 2014 12:52 PM To: qmailtoaster-list@qmailtoaster.com Subject: [qmailtoaster] Re: heartbleed bug Just a reminder, that COS5 hosts aren't susceptible to this bug. It was introduced in a version of openssl which is later than what COS5 uses. Are you now glad that you haven't yet upgraded? ;) -- -Eric 'shubes' On 04/10/2014 08:18 AM, Dave M wrote: Appologies, this is Centos 5.10 installation. qtp-whatami qtp-whatami v0.3.8 Thu Apr 10 08:18:25 MDT 2014 REAL_DIST=CentOS DISTRO=CentOS OSVER=5.10 QTARCH=i686 QTKERN=2.6.18-371.3.1.el5 BUILD_DIST=cnt50 BUILD_DIR=/usr/src/redhat Dave M -Original Message- From: Dave M Sent: Thursday, April 10, 2014 8:15 AM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] Re: heartbleed bug Hi Eric What is the correct path as the makecert fails /var/qmail/bin/makecert.sh: No such file or director Dave M -Original Message- From: Eric Shubert Sent: Wednesday, April 09, 2014 1:01 PM To: qmailtoaster-list@qmailtoaster.com Subject: [qmailtoaster] Re: heartbleed bug I'd like to add a few details here. If you use the stock self-signed cert, you should still probably regenerate this by doing: # service qmail stop # mv /var/qmail/control/servercert.pem \ /var/qmail/control/servercert.pem.compromised # /var/qmail/bin/makecert.sh # service qmail start If you use your own cert/key, then you should know what you need to do for that, which is beyond the scope of this email. The dh keys used in the TLS key negotiation process should be generated automatically every day by cron, which runs the /var/qmail/bin/dh_key script. You might want to verify the dates of these files: # ls -l /var/qmail/control/dh* If these weren't modified today, check your crontab. Thanks for clarifying this, Steve. - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: heartbleed bug
On 4/10/2014 1:52 PM, Eric Shubert wrote: Just a reminder, that COS5 hosts aren't susceptible to this bug. It was introduced in a version of openssl which is later than what COS5 uses. Are you now glad that you haven't yet upgraded? ;) That's the FIRST thing I thought! - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: heartbleed bug
FYI, This fix has only come out in the past few days. On 04/08/2014 04:54 PM, Eric Shubert wrote: On 04/08/2014 01:04 PM, Peter Peterse wrote: Finn Buhelt schreef op 8-4-2014 21:53: Hi list Will this affects QMT ? ( latest release uses openssl-1.01 which is hit) "New security holes are always showing up. The latest one, the so-called http://heartbleed.com/Heartbleed Bug http://heartbleed.com/ in the OpenSSL https://www.openssl.org/ cryptographic library, is an especially bad one" - taken from zdnet.com Regards, Finn Hi Finn, I've read CentOS 6 is affected and CentOS 5 not. CentOS 5.10 contains OpenSSL 0.9.8e Regards, Peter RHEL/CentOS has fixed this in openssl-1.0.1e-16.el6_5.7 The fixed package was in all of the mirrors I happened to catch. To check if your package has the fix applied, you can: $ rpm -q openssl --changelog | grep CVE-2014-0160 If you get nothing back (and you're on COS6) you should (yum) update your openssl package. --
