OpenSSL 1.0.1h Fixes Serious Bug
OpenSSL 1.0.1h Fixes Serious Bug
Need to integrate OpenSSL 1.0.1h ASAP.
Re: OpenSSL 1.0.1h Fixes Serious Bug
Thx will work on getting a new experimental posted ASAP. In the meantime you can always use the special build I posted with openssl dynamically linked if need be.mpfrench wrote:Need to integrate OpenSSL 1.0.1h ASAP.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
Re: OpenSSL 1.0.1h Fixes Serious Bug
Ok posted:
http://www.hmailserver.com/forum/viewto ... 10&t=21420
2014-06-05 5.4-B2014060501
* IMPORTANT: This build has a LOT of extra debug logging but NOT shown by default. [Settings]LogLevel=10 for some extra to 100 for extremely verbose
* URGENT: Critical OpenSSL MitM vulnerability http://www.pcworld.com/article/2360560/ ... pying.html
* Upated hmailserver to openssl-1.0.1h
* FIX: Added new 250 Help as always last EHLO response to fix 250-STARTTLS gmail issue (Last in list MUST be space not dash)
http://www.hmailserver.com/forum/viewto ... 10&t=21420
2014-06-05 5.4-B2014060501
* IMPORTANT: This build has a LOT of extra debug logging but NOT shown by default. [Settings]LogLevel=10 for some extra to 100 for extremely verbose
* URGENT: Critical OpenSSL MitM vulnerability http://www.pcworld.com/article/2360560/ ... pying.html
* Upated hmailserver to openssl-1.0.1h
* FIX: Added new 250 Help as always last EHLO response to fix 250-STARTTLS gmail issue (Last in list MUST be space not dash)
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
Re: OpenSSL 1.0.1h Fixes Serious Bug
Bill, your log date is off by a month.
Re: OpenSSL 1.0.1h Fixes Serious Bug
are you sure?mpfrench wrote:Bill, your log date is off by a month.

Did you try it?
thx
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
Re: OpenSSL 1.0.1h Fixes Serious Bug
Somebody corrected the date. It is OK now.
Re: OpenSSL 1.0.1h Fixes Serious Bug
lol yes i didmpfrench wrote:Somebody corrected the date. It is OK now.

Soo.. Did you actually try the new build since you were the one who pointed out the bug?

Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
Re: OpenSSL 1.0.1h Fixes Serious Bug
So take it no one was excited that I posted up a new build so quickly? 

hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
Re: OpenSSL 1.0.1h Fixes Serious Bug
I just installed the new build and will let you know how it does after it runs a while.
Re: OpenSSL 1.0.1h Fixes Serious Bug
Thx. Guess it's a good sign if it actually runs as I didn't test it at all.mpfrench wrote:I just installed the new build and will let you know how it does after it runs a while.

People must not be as concerned with this as heartbleed as seems less of a sense of urgency from people.
Thx
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
Re: OpenSSL 1.0.1h Fixes Serious Bug
This one had been in the wild for 15 years, and relies on a Man-in-the-middle type attack.
Still very troubling though
Still very troubling though
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: OpenSSL 1.0.1h Fixes Serious Bug
THX Bill for your fast response. I'll test it too.
Re: OpenSSL 1.0.1h Fixes Serious Bug
Indeed been around a long time but once exposed all bets are off as it'll be hot spot for attacks now. I mean it's a 15 year old bug turned into a zero day vulnerability now that it's publicized lolmattg wrote:This one had been in the wild for 15 years, and relies on a Man-in-the-middle type attack.
Still very troubling though
Ok great thanks.prisma wrote:THX Bill for your fast response. I'll test it too.
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
Re: OpenSSL 1.0.1h Fixes Serious Bug
Yes indeed...Bill48105 wrote:I mean it's a 15 year old bug turned into a zero day vulnerability now that it's publicized lol
To be honest I gave up on SSL after the heartbleed stuff.
I would have to pay to revoke the StartSSL certificates that I was using, and well, if I'm going to pay, I'll buy a certificate up front from a company with some real customer service, not just attitude.
I haven't done that yet, as SSL isn't a complete solution to security or privacy issues.
So sorry, I can't help test this at the moment...
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: OpenSSL 1.0.1h Fixes Serious Bug
indeed. all boils down to what you are trying to protect from who. if someone wants yer stuff bad enough they will get it. so I figure it's for casual protection. sadly many people assume it protects more than it does but that's not our problem.mattg wrote:Yes indeed...Bill48105 wrote:I mean it's a 15 year old bug turned into a zero day vulnerability now that it's publicized lol
To be honest I gave up on SSL after the heartbleed stuff.
I would have to pay to revoke the StartSSL certificates that I was using, and well, if I'm going to pay, I'll buy a certificate up front from a company with some real customer service, not just attitude.
I haven't done that yet, as SSL isn't a complete solution to security or privacy issues.
So sorry, I can't help test this at the moment...

cheers
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
Re: OpenSSL 1.0.1h Fixes Serious Bug
For what it's worth, a new release is now up which includes OpenSSL 1.0.1h
Re: OpenSSL 1.0.1h Fixes Serious Bug
ok thanks martinmartin wrote:For what it's worth, a new release is now up which includes OpenSSL 1.0.1h
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
Re: OpenSSL 1.0.1h Fixes Serious Bug
Bill, I have been running your beta build for a week now without noticing any problems. I assume that this is equivalent to the latest production build that Martin released.
Re: OpenSSL 1.0.1h Fixes Serious Bug
OK cool glad it's working. Actually the 2 builds are so out of sync these days in reality they are quite different. But you'd have to compare changelogs to see what changed in each & if they apply to you or not. For most people using either should be close enough to the same to not make a difference but for others it could be. Generally speaking though if things are working & you don't need feature that's in the other then stick with what you have. I use the experimental builds myself but then again they are my builds more suited for my needs too.mpfrench wrote:Bill, I have been running your beta build for a week now without noticing any problems. I assume that this is equivalent to the latest production build that Martin released.

Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***