Heartbleed OpenSSL vulnerability

Heartbleed OpenSSL vulnerability

Postby HVGS » Wed Apr 09, 2014 4:18 am

Hi,

Are any Ability Mail Server versions affected buy this vulnerability ?

http://heartbleed.com/

Thanks,
Phil
HVGS
 
Posts: 33
Joined: Wed Jan 30, 2008 6:02 am

Re: Heartbleed OpenSSL vulnerability

Postby Code Crafters » Wed Apr 09, 2014 9:10 pm

No versions of Ability Mail Server or Ability FTP Server are affected by this vulnerability.

From the OpenSSL website: https://www.openssl.org/news/vulnerabilities.html

A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64kB of memory to a connected client or server. This issue did not affect versions of OpenSSL prior to 1.0.1. Reported by Neel Mehta.
Fixed in OpenSSL 1.0.1g (Affected 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)


The latest Ability Mail Server and Ability FTP Server version of OpenSSL is 1.0.0a which is not affected by this vulnerability which is now fixed in the latest version currently 1.0.1g. We will be looking to upgrade to the latest OpenSSL DLLs in the next update soon.
Code Crafters
 
Posts: 943
Joined: Mon Sep 10, 2007 2:35 pm

Re: Heartbleed OpenSSL vulnerability

Postby HVGS » Wed Apr 09, 2014 9:46 pm

Thanks Chris. That's what I thought but wanted to check.

Regards,
Phil
HVGS
 
Posts: 33
Joined: Wed Jan 30, 2008 6:02 am

Re: Heartbleed OpenSSL vulnerability

Postby sland » Thu Apr 10, 2014 12:42 am

Please clarify. You state that

"No versions of Ability Mail Server or Ability FTP Server are affected by this vulnerability."

but then say that

"The latest Ability Mail Server and Ability FTP Server version of OpenSSL is 1.0.0a which is not affected by this vulnerability which is now fixed in the latest version currently 1.0.1g"

What is true? NO versions or only the latest versions are secure?

PS Im running AMS 3.10
sland
 
Posts: 4
Joined: Tue Oct 13, 2009 10:13 pm

Re: Heartbleed OpenSSL vulnerability

Postby Code Crafters » Thu Apr 10, 2014 5:47 pm

The vulnerability was fixed in OpenSSL 1.0.1g but was a problem in versions 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1

Ability Mail / FTP Servers are currently using 1.0.0a which was before the vulnerability was introduced.

We will update to the latest 1.0.1g (or later) in our next update.

To clarify, both 1.0.0a and 1.0.1g are not affected by the vulnerability. Sorry if this wasn't clear enough before.
Code Crafters
 
Posts: 943
Joined: Mon Sep 10, 2007 2:35 pm

Re: Heartbleed OpenSSL vulnerability

Postby sland » Fri Apr 11, 2014 4:26 pm

Thanks Chris :)
sland
 
Posts: 4
Joined: Tue Oct 13, 2009 10:13 pm


Return to General

Who is online

Users browsing this forum: No registered users and 25 guests

cron