OpenSSL 1.0.1h Fixes Serious Bug

[mpfrench]

Need to integrate OpenSSL 1.0.1h ASAP.

[Bill48105]

Need to integrate OpenSSL 1.0.1h ASAP.

Thx will work on getting a new experimental posted ASAP. In the meantime you can always use the special build I posted with openssl dynamically linked if need be.
Bill

[Bill48105]

Ok posted:
http://www.hmailserver.com/forum/viewto ... 10&t=21420

2014-06-05 5.4-B2014060501
* IMPORTANT: This build has a LOT of extra debug logging but NOT shown by default. [Settings]LogLevel=10 for some extra to 100 for extremely verbose
* URGENT: Critical OpenSSL MitM vulnerability http://www.pcworld.com/article/2360560/ ... pying.html
* Upated hmailserver to openssl-1.0.1h
* FIX: Added new 250 Help as always last EHLO response to fix 250-STARTTLS gmail issue (Last in list MUST be space not dash)

[mpfrench]

Bill, your log date is off by a month.

[Bill48105]

Bill, your log date is off by a month.

are you sure?

Did you try it?
thx
Bill

[mpfrench]

Somebody corrected the date. It is OK now.

[Bill48105]

Somebody corrected the date. It is OK now.

lol yes i did
Soo.. Did you actually try the new build since you were the one who pointed out the bug?
Bill

[Bill48105]

So take it no one was excited that I posted up a new build so quickly?

[mpfrench]

I just installed the new build and will let you know how it does after it runs a while.

[Bill48105]

I just installed the new build and will let you know how it does after it runs a while.

Thx. Guess it's a good sign if it actually runs as I didn't test it at all. But yeah was curious if it'd actually start, if SSL still worked and if the openssl bug was fixed.

People must not be as concerned with this as heartbleed as seems less of a sense of urgency from people.
Thx
Bill

[mattg]

This one had been in the wild for 15 years, and relies on a Man-in-the-middle type attack.

Still very troubling though

[prisma]

THX Bill for your fast response. I'll test it too.

[Bill48105]

This one had been in the wild for 15 years, and relies on a Man-in-the-middle type attack.

Still very troubling though

Indeed been around a long time but once exposed all bets are off as it'll be hot spot for attacks now. I mean it's a 15 year old bug turned into a zero day vulnerability now that it's publicized lol

THX Bill for your fast response. I'll test it too.

Ok great thanks.

[mattg]

I mean it's a 15 year old bug turned into a zero day vulnerability now that it's publicized lol

Yes indeed...

To be honest I gave up on SSL after the heartbleed stuff.
I would have to pay to revoke the StartSSL certificates that I was using, and well, if I'm going to pay, I'll buy a certificate up front from a company with some real customer service, not just attitude.

I haven't done that yet, as SSL isn't a complete solution to security or privacy issues.

So sorry, I can't help test this at the moment...

[Bill48105]

I mean it's a 15 year old bug turned into a zero day vulnerability now that it's publicized lol

Yes indeed...

To be honest I gave up on SSL after the heartbleed stuff.
I would have to pay to revoke the StartSSL certificates that I was using, and well, if I'm going to pay, I'll buy a certificate up front from a company with some real customer service, not just attitude.

I haven't done that yet, as SSL isn't a complete solution to security or privacy issues.

So sorry, I can't help test this at the moment...

indeed. all boils down to what you are trying to protect from who. if someone wants yer stuff bad enough they will get it. so I figure it's for casual protection. sadly many people assume it protects more than it does but that's not our problem.
cheers

[martin]

For what it's worth, a new release is now up which includes OpenSSL 1.0.1h

[Bill48105]

For what it's worth, a new release is now up which includes OpenSSL 1.0.1h

ok thanks martin

[mpfrench]

Bill, I have been running your beta build for a week now without noticing any problems. I assume that this is equivalent to the latest production build that Martin released.

[Bill48105]

Bill, I have been running your beta build for a week now without noticing any problems. I assume that this is equivalent to the latest production build that Martin released.

OK cool glad it's working. Actually the 2 builds are so out of sync these days in reality they are quite different. But you'd have to compare changelogs to see what changed in each & if they apply to you or not. For most people using either should be close enough to the same to not make a difference but for others it could be. Generally speaking though if things are working & you don't need feature that's in the other then stick with what you have. I use the experimental builds myself but then again they are my builds more suited for my needs too.
Bill