Heartbleed OpenSSL vulnerability

[HVGS]

Hi,

Are any Ability Mail Server versions affected buy this vulnerability ?

http://heartbleed.com/

Thanks,
Phil

[Code Crafters]

No versions of Ability Mail Server or Ability FTP Server are affected by this vulnerability.

From the OpenSSL website: https://www.openssl.org/news/vulnerabilities.html

A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64kB of memory to a connected client or server. This issue did not affect versions of OpenSSL prior to 1.0.1. Reported by Neel Mehta.
Fixed in OpenSSL 1.0.1g (Affected 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)

The latest Ability Mail Server and Ability FTP Server version of OpenSSL is 1.0.0a which is not affected by this vulnerability which is now fixed in the latest version currently 1.0.1g. We will be looking to upgrade to the latest OpenSSL DLLs in the next update soon.

[HVGS]

Thanks Chris. That's what I thought but wanted to check.

Regards,
Phil

[sland]

Please clarify. You state that

"No versions of Ability Mail Server or Ability FTP Server are affected by this vulnerability."

but then say that

"The latest Ability Mail Server and Ability FTP Server version of OpenSSL is 1.0.0a which is not affected by this vulnerability which is now fixed in the latest version currently 1.0.1g"

What is true? NO versions or only the latest versions are secure?

PS Im running AMS 3.10

[Code Crafters]

The vulnerability was fixed in OpenSSL 1.0.1g but was a problem in versions 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1

Ability Mail / FTP Servers are currently using 1.0.0a which was before the vulnerability was introduced.

We will update to the latest 1.0.1g (or later) in our next update.

To clarify, both 1.0.0a and 1.0.1g are not affected by the vulnerability. Sorry if this wasn't clear enough before.

[sland]

Thanks Chris