| Re: CVE-2014-0160 / OpenSSL Heartbleed [message #112343 is a reply to message #112339] |
Tue, 08 April 2014 17:31   |
Maerad
Messages: 275
Registered: August 2013
|
|
|
|
markm wrote on Tue, 08 April 2014 17:02The bug can be patched by adding a flag to open ssl during compile to disable heartbeat.
No one should be calm because this should be done already.
I stayed up all night last night patching customers' servers.
Well - the bug IS a real problem, but I can't do anymore then wait for an update. I have kerio running on a server 2012 machine - no way to compile it.
That's what I meant in another thread with the "that's why they have it all in one package" 
They have to implant the fix to macos, windows and linux, test them all, create an installer, test again etc. pp. That needs some time.
Btw. you're quite brave to disable it - I hope it won't bite you back, because something dosn't work anymore.
And don't forget to let your customers change the SSL cert and force a PW reset after your fix.
|
|
|
|
| Re: CVE-2014-0160 / OpenSSL Heartbleed [message #112347 is a reply to message #112343] |
Tue, 08 April 2014 18:00 |
Marko Engelmann (TESIS)
Messages: 13
Registered: May 2009
|
|
|
|
Guys,
after getting the creeps waiting for an official fix, I just downloaded 1.0.1g of openssl, run "./config shared -DOPENSSL_NO_HEARTBEATS" and replaced the created libssl/libcrypt with the ones supplied by kerio (named libktssl/libktcrypt). The server seems to run fine...
platform: centos5/32bit
After having done this, kerio will release the official fix in about 30 seconds now 
|
|
|
|
|
|
|
|
|
|
| Re: CVE-2014-0160 / OpenSSL Heartbleed [message #112461 is a reply to message #112285] |
Wed, 09 April 2014 21:04 |
oregonbob
Messages: 11
Registered: January 2009
|
|
|
|
I installed patch successfully and all it working as advertised.
I am running an 8.2.2 VM. Kerio's fancy Samepage changes the right-click options in my web browser, therefore I cannot right-click and do a copy-download-link so I can use "wget" to download it on to the VM. The VM doesn't have a web browser!
Therefore I had to download patch on a different machine with a web browser, then SFTP it to my Kerio VM.
So: Kerio support should always provide a download link that can be copied for use with wget command!
|
|
|
|
|
|
| Re: CVE-2014-0160 / OpenSSL Heartbleed [message #112479 is a reply to message #112285] |
Thu, 10 April 2014 02:37 |
MarkK
Messages: 342
Registered: April 2007
|
|
|
|
Just my experience...
I was running KC 8.1.2, and according to the Chrome add-on Chromebleed and the web site http://filippo.io/Heartbleed/ that will check for the Heartbleed vulnerability, my Windows based Kerio Connect install was not vulnerable.
Don't know if it was the version I was running, or my security appliance was blocking it, but supposedly I didn't have the vulnerability. Updating anyways to the latest release.
|
|
|
|
|
|
Members
Search
Help
Register
Login
Home
