| Openssl problem [message #112294] |
Tue, 08 April 2014 11:12  |
urban.hake
Messages: 18
Registered: May 2012
Location: Sweden
|
|
|
|
What is being done about this?
problem Description
The vulnerability in OpenSSL 1.0.1 (and 1.0.2-beta) can be used to read the private memory of the application protected with OpenSSL
and thus get hold of such keys from X.509 certificates, username and password.
solution
Upgrade to OpenSSL version 1.0.1g
|
|
|
|
|
|
|
|
|
|
|
|
| Re: Openssl problem [message #112323 is a reply to message #112294] |
Tue, 08 April 2014 14:54  |
hugge
Messages: 2
Registered: April 2014
Location: Sweden
|
|
|
|
The exploit works great on our Kerio-installations. You can read emails, get session id´s and more or less dump everything the server handles. Huge problem. Please get a update *very* soon.
Why have openssl bundled instead of using the system openssl? Then this problem would have been solved 2hours after it got discovered.
|
|
|
|
| Re: Openssl problem [message #112324 is a reply to message #112323] |
Tue, 08 April 2014 15:09 |
Maerad
Messages: 275
Registered: August 2013
|
|
|
|
Quote:Why have openssl bundled instead of using the system openssl? Then this problem would have been solved 2hours after it got discovered.
Just think about for more then 2 seconds 
Kerio is made to run on many multiple systems. There are many different programs for SSL to be used, many different versions, many different configs. This way kerio can't work, because they don't know how the system might be configured or maybe some depencies are missing.
Also it wouldn't work with the "easy install" option, because you would have to install, config and link your local openssl installation. Not to mention, that most of the linked assistant systems in the menu might not work, because of a different config, paths and so on.
And don't let me get started in admins with less knowledge, that don't even know HOW to update something or edit a config in bash. Or how to use a specific openssl program version and not the newest for ubuntu.
If you want to provide a full working, configured and easy to install/use system, you are forced to include all important programs it needs. Simple as that.
Same goes for other projects that install each an own tomcat server and java version instead of using the system wide one.
|
|
|
|
|
|
Members
Search
Help
Register
Login
Home
