GFI Software

Welcome to the GFI Software community forum! For support please open a ticket from https://support.gfi.com.

Home » GFI User Forums » Kerio Connect » CVE-2014-0160 / OpenSSL Heartbleed (When will you have a patch for OpenSSL Heartbleed?)
CVE-2014-0160 / OpenSSL Heartbleed [message #112285] Tue, 08 April 2014 07:37 Go to next message
markm is currently offline  markm
Messages: 2
Registered: April 2014
It appears that Kerio Connect has a bundled version of OpenSSL that is vulnerable to CVE-2014-0160.

I have run a scanner on my mail server and even though I updated the installed openssl I am still vulnerable because of the bundled openssl.

When will there be an update that addresses this?

Report message to a moderator

Re: CVE-2014-0160 / OpenSSL Heartbleed [message #112287 is a reply to message #112285] Tue, 08 April 2014 09:59 Go to previous messageGo to next message
Pavel Dobry (Kerio) is currently offline  Pavel Dobry (Kerio)
Messages: 2057
Registered: October 2003
Location: Czech Republic
Yes, there will be an update.

Knowledge Base: http://manuals.gfi.com/en/kerio/home/Content/Home.htm.

Report message to a moderator

Re: CVE-2014-0160 / OpenSSL Heartbleed [message #112295 is a reply to message #112287] Tue, 08 April 2014 11:22 Go to previous messageGo to next message
bmdv
Messages: 53
Registered: June 2004
Location: Germany
ETA?

Report message to a moderator

Re: CVE-2014-0160 / OpenSSL Heartbleed [message #112297 is a reply to message #112295] Tue, 08 April 2014 11:24 Go to previous messageGo to next message
b-tom is currently offline  b-tom
Messages: 184
Registered: January 2006
More information on that: http://www.heartbleed.com

Report message to a moderator

Re: CVE-2014-0160 / OpenSSL Heartbleed [message #112304 is a reply to message #112285] Tue, 08 April 2014 12:20 Go to previous messageGo to next message
Marko Engelmann (TESIS) is currently offline  Marko Engelmann (TESIS)
Messages: 13
Registered: May 2009
Hi,
to stress this point: The exact question was "WHEN" ?

Report message to a moderator

Re: CVE-2014-0160 / OpenSSL Heartbleed [message #112315 is a reply to message #112304] Tue, 08 April 2014 13:37 Go to previous messageGo to next message
campodoro74 is currently offline  campodoro74
Messages: 9
Registered: November 2006
Location: Genova
Dobry, this update is coming TODAY ?

Report message to a moderator

Re: CVE-2014-0160 / OpenSSL Heartbleed [message #112318 is a reply to message #112315] Tue, 08 April 2014 13:50 Go to previous messageGo to next message
Pavel Dobry (Kerio) is currently offline  Pavel Dobry (Kerio)
Messages: 2057
Registered: October 2003
Location: Czech Republic
All updates will be posted at http://forums.kerio.com/t/27043//

We are working on a hotfix and it should be available in 24 hours. We are trying to speed up the whole release process and necessary testing to the maximum. Thank you for understanding.

Knowledge Base: http://manuals.gfi.com/en/kerio/home/Content/Home.htm.

Report message to a moderator

Re: CVE-2014-0160 / OpenSSL Heartbleed [message #112319 is a reply to message #112318] Tue, 08 April 2014 13:51 Go to previous messageGo to next message
campodoro74 is currently offline  campodoro74
Messages: 9
Registered: November 2006
Location: Genova
Excellent, thank you for your prompt reply !

Report message to a moderator

Re: CVE-2014-0160 / OpenSSL Heartbleed [message #112320 is a reply to message #112285] Tue, 08 April 2014 14:08 Go to previous messageGo to next message
artanis is currently offline  artanis
Messages: 1
Registered: April 2014
Location: Россия
I can get addmin session id / mail thread / mail names and other.

[Updated on: Tue, 08 April 2014 14:09]

Report message to a moderator

Re: CVE-2014-0160 / OpenSSL Heartbleed [message #112322 is a reply to message #112285] Tue, 08 April 2014 14:47 Go to previous messageGo to next message
hugge is currently offline  hugge
Messages: 2
Registered: April 2014
Location: Sweden
Yes.

It is possible to read any emails, get any admin session or whatever from all of our kerio-installations. From anywhere. Not cool to have ssl bundled into the application instead of running the system-wide version of SSL.

Wonder who have read all of our emails the last year or so? Guess we will never know.

Report message to a moderator

Re: CVE-2014-0160 / OpenSSL Heartbleed [message #112328 is a reply to message #112322] Tue, 08 April 2014 15:27 Go to previous messageGo to next message
Jeeves_ is currently offline  Jeeves_
Messages: 23
Registered: May 2010
Location: Ede, NL
Please note that both Control and Operator are affected too..

I've just been reading some of my emails via this bug. I prefer to just use my Thunderbird. Plz hurry up with the update..

Offering Kerio and much more. See http://www.tuxis.nl and http://www.kerioindecloud.nl/

Report message to a moderator

Re: CVE-2014-0160 / OpenSSL Heartbleed [message #112329 is a reply to message #112328] Tue, 08 April 2014 15:29 Go to previous messageGo to next message
mwd is currently offline  mwd
Messages: 49
Registered: March 2011
Yeah it is pretty bad, all our debian servers have been updated but I can still read email on any kerio server out there Sad

There is also no point revoking and changing our passwords until we have patched/updated all applications with this issue, so we must wait while our private keys might be getting copied Sad Sad

[Updated on: Tue, 08 April 2014 15:30]

Report message to a moderator

Re: CVE-2014-0160 / OpenSSL Heartbleed [message #112338 is a reply to message #112329] Tue, 08 April 2014 16:54 Go to previous messageGo to next message
Maerad is currently offline  Maerad
Messages: 275
Registered: August 2013
Please try to keep your calm - I'm sure they're working on the bug with full priority. Try to keep in mind, that kerio is used in many production environments and even with a catastrophic bug like that one, the fix has to be tested.

They can't just copy the new files into the installer and done. I prefer a fix that is at least tested with the most configs then a fast one that disables half the system or deletes something.

For now I've shutted down kerio (glad work day just ended) and our backup mail server (hmailserver, also has the tls bug but here I disabled SSL for the duration the fix needs) receives all mails.

And after the fix I have to create all certs anew and force a reset for the user passwords. wohooo :3

Report message to a moderator

Re: CVE-2014-0160 / OpenSSL Heartbleed [message #112339 is a reply to message #112338] Tue, 08 April 2014 17:02 Go to previous messageGo to next message
markm is currently offline  markm
Messages: 2
Registered: April 2014
The bug can be patched by adding a flag to open ssl during compile to disable heartbeat.

No one should be calm because this should be done already.

I stayed up all night last night patching customers' servers.

Report message to a moderator

Re: CVE-2014-0160 / OpenSSL Heartbleed [message #112341 is a reply to message #112338] Tue, 08 April 2014 17:10 Go to previous messageGo to previous message
Marko Engelmann (TESIS) is currently offline  Marko Engelmann (TESIS)
Messages: 13
Registered: May 2009
Yes - and in defence of kerio: The "custom" openssl-library made features like PFS and elliptic curve encryption possible - which are not available using the OS-supplied libraries on some supported platforms.

Thats the sad part of this issue: You are getting punished for using a state-of-the-art library - to provide features the customers (we!) where calling for...

[Updated on: Tue, 08 April 2014 17:15]

Report message to a moderator

Previous Topic: IMPORTANT: Download servers issue [RESOLVED]
Next Topic: OS X 10.9 Mavericks and Kerio Connect
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ] [ PDF ]

Current Time: Wed Mar 29 00:11:15 CEST 2023

Total time taken to generate the page: 0.09398 seconds
.:: Contact :: Home :: Acceptable Use Policy ::.

Powered by: FUDforum 3.0.9.
Copyright ©2001-2022 FUDforum Bulletin Board Software