[BlueOnyx:16286] Re: Yum Updates: vs. SSLv3 "Pootle" Vulnerability

webmaster webmaster at oldcabin.net
Thu Oct 30 00:02:52 -05 2014 


5106R


FTP not working
POP server not working






>
>
> Ran the update on  my 5108R and now can't connect via ftp.
>
> Server GUI is showing red light
>
>
> Tried this
> [root at cabin2 admin]# /etc/rc.d/init.d/proftpd start
> Get this
> Starting proftpd: [FAILED]
>
> Help!
>
>
>
> 5207R Updated fine.
> No issues!
> No FTP problems
>
>
>
>
>> Hi all,
>>
>> I wish I could have done this sooner, but last week I was on a holiday.
>> The work was pretty complex, but is finally done:
>>
>> The following YUM updates have just been published for BlueOnyx 5106R,
>> 5107R, 5108R, 5207R and 5208R:
>>
>> base-admserv-*
>> base-apache-*
>> base-email-*
>> dovecot-2.2.15-1BX01
>> proftpd-1.3.5-1BX1
>>
>> They deal with the recently announced Pootle SSLv3 vulnerability and
>> turn off SSLv3 support for the services AdmServ (GUI), Apache, POP3/IMAP
>> and FTP.
>>
>> Dovecot was updated to version 2.2.15 on all BlueOnyx versions. On 5106R
>> it supports only TLSv1.0, as the underlying OpenSSL is too old. On all
>> other BlueOnyx versions it supports TLSv1.2, TLSv1.1 and TLSv1.0.
>>
>> ProFTPD was also updated to the latest version (v1.3.5), which
>> (finally!) handles TLSv1.2 as well as TLSv1.1 and TLSv1.0. But as
>> before: On BlueOnyx 5106R only TLSv1.0 is available due to the ancient
>> OpenSSL version that ships with CentOS5.
>>
>> Caveats:
>> ========
>>
>> This is a somewhat massive and intrusive update. Especially so on 5106R,
>> where we went from Dovecot 1.1.X straight to the latest available
>> version. When Dovecot gets updated, it will need to recalculate the
>> 2048bit Diffie-Hellman ciphers. This can easily take several minutes,
>> during which the polling of emails via IMAPS or POP3S is not possible.
>> Please wait for it to finish. If you restart Dovecot during that period,
>> it will recalculate the DH-ciphers again until it finally completes it.
>> After that it will accept TLS connections just fine without a restart of
>> the service.
>>
>> As SSLv3 is now turned off for all services you might get the odd call
>> from clients who are no longer able to connect to secure POP3, secure
>> IMAP, secure FTP or maybe even to a webpage via HTTPS. Most likely they
>> will be using Windows XP with some really old browsers (like IE6) or an
>> ancient Outlook or similar, which don't support even TLSv1.0 and fall
>> back to the compromised SSLv3 protocol, which we just disabled entirely.
>>
>> Unless they upgrade they are out of luck. Windows XP is end of life and
>> we will no longer cripple the security of our OS to accommodate them.
>>
>> If you get such a report from a client that is *not* using Windows XP,
>> please ask them to update their email client or browser or FTP client to
>> the latest version and to check the connection settings. They might have
>> to change their account settings to use TLS instead of SSLv3.
>>
>> If you have problems with this updates, then please report them via the
>> BlueOnyx General Mailing List by replying to this message.
>>
>
>
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20141030/4240014e/attachment.html>

More information about the Blueonyx mailing list