[BlueOnyx:16298] Re: Yum Updates: vs. SSLv3 "Pootle" Vulnerability

Roger Elve elvesaether at gmail.com
Thu Oct 30 04:08:59 -05 2014 

Hi!
I can confirm that the FTP server is down on both 5106R and 5107R(OpenVZ)
systems after updates.
To be accurate: plain ftp is down, implicit ftp over TLS was working.

For those who really need plain ftp asap:
Disable TLS in /etc/proftpd.conf:
# TLS
<IfModule mod_tls.c>
   TLSEngine off
/* snip */

Reload and restart the xinetd service:
service xinetd reload
service xinetd restart


On Thu, Oct 30, 2014 at 3:45 AM, Michael Stauber <mstauber at blueonyx.it>
wrote:

> Hi all,
>
> I wish I could have done this sooner, but last week I was on a holiday.
> The work was pretty complex, but is finally done:
>
> The following YUM updates have just been published for BlueOnyx 5106R,
> 5107R, 5108R, 5207R and 5208R:
>
> base-admserv-*
> base-apache-*
> base-email-*
> dovecot-2.2.15-1BX01
> proftpd-1.3.5-1BX1
>
> They deal with the recently announced Pootle SSLv3 vulnerability and
> turn off SSLv3 support for the services AdmServ (GUI), Apache, POP3/IMAP
> and FTP.
>
> Dovecot was updated to version 2.2.15 on all BlueOnyx versions. On 5106R
> it supports only TLSv1.0, as the underlying OpenSSL is too old. On all
> other BlueOnyx versions it supports TLSv1.2, TLSv1.1 and TLSv1.0.
>
> ProFTPD was also updated to the latest version (v1.3.5), which
> (finally!) handles TLSv1.2 as well as TLSv1.1 and TLSv1.0. But as
> before: On BlueOnyx 5106R only TLSv1.0 is available due to the ancient
> OpenSSL version that ships with CentOS5.
>
> Caveats:
> ========
>
> This is a somewhat massive and intrusive update. Especially so on 5106R,
> where we went from Dovecot 1.1.X straight to the latest available
> version. When Dovecot gets updated, it will need to recalculate the
> 2048bit Diffie-Hellman ciphers. This can easily take several minutes,
> during which the polling of emails via IMAPS or POP3S is not possible.
> Please wait for it to finish. If you restart Dovecot during that period,
> it will recalculate the DH-ciphers again until it finally completes it.
> After that it will accept TLS connections just fine without a restart of
> the service.
>
> As SSLv3 is now turned off for all services you might get the odd call
> from clients who are no longer able to connect to secure POP3, secure
> IMAP, secure FTP or maybe even to a webpage via HTTPS. Most likely they
> will be using Windows XP with some really old browsers (like IE6) or an
> ancient Outlook or similar, which don't support even TLSv1.0 and fall
> back to the compromised SSLv3 protocol, which we just disabled entirely.
>
> Unless they upgrade they are out of luck. Windows XP is end of life and
> we will no longer cripple the security of our OS to accommodate them.
>
> If you get such a report from a client that is *not* using Windows XP,
> please ask them to update their email client or browser or FTP client to
> the latest version and to check the connection settings. They might have
> to change their account settings to use TLS instead of SSLv3.
>
> If you have problems with this updates, then please report them via the
> BlueOnyx General Mailing List by replying to this message.
>
> --
> With best regards
>
> Michael Stauber
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20141030/3b464f72/attachment.html>

More information about the Blueonyx mailing list