[BlueOnyx:16285] Re: Yum Updates: vs. SSLv3 "Pootle" Vulnerability

webmaster webmaster at oldcabin.net
Wed Oct 29 23:54:14 -05 2014



Ran the update on  my 5108R and now can't connect via ftp.

Server GUI is showing red light


Tried this
[root at cabin2 admin]# /etc/rc.d/init.d/proftpd start
Get this
Starting proftpd: [FAILED]

Help!



5207R Updated fine.
No issues!
No FTP problems




> Hi all,
>
> I wish I could have done this sooner, but last week I was on a holiday.
> The work was pretty complex, but is finally done:
>
> The following YUM updates have just been published for BlueOnyx 5106R,
> 5107R, 5108R, 5207R and 5208R:
>
> base-admserv-*
> base-apache-*
> base-email-*
> dovecot-2.2.15-1BX01
> proftpd-1.3.5-1BX1
>
> They deal with the recently announced Pootle SSLv3 vulnerability and
> turn off SSLv3 support for the services AdmServ (GUI), Apache, POP3/IMAP
> and FTP.
>
> Dovecot was updated to version 2.2.15 on all BlueOnyx versions. On 5106R
> it supports only TLSv1.0, as the underlying OpenSSL is too old. On all
> other BlueOnyx versions it supports TLSv1.2, TLSv1.1 and TLSv1.0.
>
> ProFTPD was also updated to the latest version (v1.3.5), which
> (finally!) handles TLSv1.2 as well as TLSv1.1 and TLSv1.0. But as
> before: On BlueOnyx 5106R only TLSv1.0 is available due to the ancient
> OpenSSL version that ships with CentOS5.
>
> Caveats:
> ========
>
> This is a somewhat massive and intrusive update. Especially so on 5106R,
> where we went from Dovecot 1.1.X straight to the latest available
> version. When Dovecot gets updated, it will need to recalculate the
> 2048bit Diffie-Hellman ciphers. This can easily take several minutes,
> during which the polling of emails via IMAPS or POP3S is not possible.
> Please wait for it to finish. If you restart Dovecot during that period,
> it will recalculate the DH-ciphers again until it finally completes it.
> After that it will accept TLS connections just fine without a restart of
> the service.
>
> As SSLv3 is now turned off for all services you might get the odd call
> from clients who are no longer able to connect to secure POP3, secure
> IMAP, secure FTP or maybe even to a webpage via HTTPS. Most likely they
> will be using Windows XP with some really old browsers (like IE6) or an
> ancient Outlook or similar, which don't support even TLSv1.0 and fall
> back to the compromised SSLv3 protocol, which we just disabled entirely.
>
> Unless they upgrade they are out of luck. Windows XP is end of life and
> we will no longer cripple the security of our OS to accommodate them.
>
> If you get such a report from a client that is *not* using Windows XP,
> please ask them to update their email client or browser or FTP client to
> the latest version and to check the connection settings. They might have
> to change their account settings to use TLS instead of SSLv3.
>
> If you have problems with this updates, then please report them via the
> BlueOnyx General Mailing List by replying to this message.
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20141029/05c6ed32/attachment.html>


More information about the Blueonyx mailing list