[BlueOnyx:16292] Re: Yum Updates: vs. SSLv3 "Pootle" Vulnerability
Christoph Schneeberger
cschnee at box.telemedia.ch
Thu Oct 30 02:41:14 -05 2014
Confirmed, all 5106 dovecots are down after update, didn't have any
reports on ftp yet and am busy applying Dirks fix for dovecot which
seems to cure the issue.
Christoph
On 10/30/2014 06:02 AM, webmaster wrote:
>
>
> 5106R
>
>
> FTP not working
> POP server not working
>
>
>
>
>
>
>>
>>
>> Ran the update on my 5108R and now can't connect via ftp.
>>
>> Server GUI is showing red light
>>
>>
>> Tried this
>> [root at cabin2 admin]# /etc/rc.d/init.d/proftpd start
>> Get this
>> Starting proftpd: [FAILED]
>>
>> Help!
>>
>>
>>
>> 5207R Updated fine.
>> No issues!
>> No FTP problems
>>
>>
>>
>>
>>> Hi all,
>>>
>>> I wish I could have done this sooner, but last week I was on a holiday.
>>> The work was pretty complex, but is finally done:
>>>
>>> The following YUM updates have just been published for BlueOnyx 5106R,
>>> 5107R, 5108R, 5207R and 5208R:
>>>
>>> base-admserv-*
>>> base-apache-*
>>> base-email-*
>>> dovecot-2.2.15-1BX01
>>> proftpd-1.3.5-1BX1
>>>
>>> They deal with the recently announced Pootle SSLv3 vulnerability and
>>> turn off SSLv3 support for the services AdmServ (GUI), Apache, POP3/IMAP
>>> and FTP.
>>>
>>> Dovecot was updated to version 2.2.15 on all BlueOnyx versions. On 5106R
>>> it supports only TLSv1.0, as the underlying OpenSSL is too old. On all
>>> other BlueOnyx versions it supports TLSv1.2, TLSv1.1 and TLSv1.0.
>>>
>>> ProFTPD was also updated to the latest version (v1.3.5), which
>>> (finally!) handles TLSv1.2 as well as TLSv1.1 and TLSv1.0. But as
>>> before: On BlueOnyx 5106R only TLSv1.0 is available due to the ancient
>>> OpenSSL version that ships with CentOS5.
>>>
>>> Caveats:
>>> ========
>>>
>>> This is a somewhat massive and intrusive update. Especially so on 5106R,
>>> where we went from Dovecot 1.1.X straight to the latest available
>>> version. When Dovecot gets updated, it will need to recalculate the
>>> 2048bit Diffie-Hellman ciphers. This can easily take several minutes,
>>> during which the polling of emails via IMAPS or POP3S is not possible.
>>> Please wait for it to finish. If you restart Dovecot during that period,
>>> it will recalculate the DH-ciphers again until it finally completes it.
>>> After that it will accept TLS connections just fine without a restart of
>>> the service.
>>>
>>> As SSLv3 is now turned off for all services you might get the odd call
>>> from clients who are no longer able to connect to secure POP3, secure
>>> IMAP, secure FTP or maybe even to a webpage via HTTPS. Most likely they
>>> will be using Windows XP with some really old browsers (like IE6) or an
>>> ancient Outlook or similar, which don't support even TLSv1.0 and fall
>>> back to the compromised SSLv3 protocol, which we just disabled entirely.
>>>
>>> Unless they upgrade they are out of luck. Windows XP is end of life and
>>> we will no longer cripple the security of our OS to accommodate them.
>>>
>>> If you get such a report from a client that is *not* using Windows XP,
>>> please ask them to update their email client or browser or FTP client to
>>> the latest version and to check the connection settings. They might have
>>> to change their account settings to use TLS instead of SSLv3.
>>>
>>> If you have problems with this updates, then please report them via the
>>> BlueOnyx General Mailing List by replying to this message.
>>>
>>
>>
>>
>> _______________________________________________
>> Blueonyx mailing list
>> Blueonyx at mail.blueonyx.it
>> http://mail.blueonyx.it/mailman/listinfo/blueonyx
>
>
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20141030/7ddb12be/attachment.html>
More information about the Blueonyx
mailing list