[BlueOnyx:16302] Re: Yum Updates: vs. SSLv3 "Pootle" Vulnerability

Rickard Osser rickard.osser at bluapp.com
Thu Oct 30 04:30:07 -05 2014 

Hi Dirk,

reinstalling doesn't do it! Sorry.
Roger Elve's trick does it though!

BTW, I suppose ftps still should work as that is handled by the
VirtualHost directive in the conf-file.

Best regards,

Rickard

On tor, 2014-10-30 at 09:21 +0000, Dirk Estenfeld wrote:
> Hello,
> 
> 
> I think I have the fix for the ftp issue.
> 
> 
> yum reinstall proftpd
> service xinetd restart
> 
> 
> Worked for two servers. We will now try it for all servers.
> 
> 
> Best regards,
> Dirk
> 
> ----------------------
> 
> 
> Black Point Arts Internet Solutions GmbH
> Hanauer Landstraße 423a
> 60314 Frankfurt am Main
> Tel. 069 95218131
> Fax 069 95218141
> E-Mail dirk.estenfeld at bpanet.de
> www.bpanet.de
> 
> Am 30.10.2014 um 05:57 schrieb webmaster <webmaster at oldcabin.net>:
> 
> 
> > 
> > 
> > Ran the update on  my 5108R and now can't connect via ftp.
> > 
> > Server GUI is showing red light
> > 
> > 
> > Tried this
> > [root at cabin2 admin]# /etc/rc.d/init.d/proftpd start
> > Get this
> > Starting proftpd:                                          [FAILED]
> > 
> > Help!
> > 
> > 
> > 
> > 5207R Updated fine.
> > No issues!
> > No FTP problems
> > 
> > 
> > 
> > 
> > 
> > > Hi all,
> > > 
> > > I wish I could have done this sooner, but last week I was on a holiday.
> > > The work was pretty complex, but is finally done:
> > > 
> > > The following YUM updates have just been published for BlueOnyx 5106R,
> > > 5107R, 5108R, 5207R and 5208R:
> > > 
> > > base-admserv-*
> > > base-apache-*
> > > base-email-*
> > > dovecot-2.2.15-1BX01
> > > proftpd-1.3.5-1BX1
> > > 
> > > They deal with the recently announced Pootle SSLv3 vulnerability and
> > > turn off SSLv3 support for the services AdmServ (GUI), Apache, POP3/IMAP
> > > and FTP.
> > > 
> > > Dovecot was updated to version 2.2.15 on all BlueOnyx versions. On 5106R
> > > it supports only TLSv1.0, as the underlying OpenSSL is too old. On all
> > > other BlueOnyx versions it supports TLSv1.2, TLSv1.1 and TLSv1.0.
> > > 
> > > ProFTPD was also updated to the latest version (v1.3.5), which
> > > (finally!) handles TLSv1.2 as well as TLSv1.1 and TLSv1.0. But as
> > > before: On BlueOnyx 5106R only TLSv1.0 is available due to the ancient
> > > OpenSSL version that ships with CentOS5.
> > > 
> > > Caveats:
> > > ========
> > > 
> > > This is a somewhat massive and intrusive update. Especially so on 5106R,
> > > where we went from Dovecot 1.1.X straight to the latest available
> > > version. When Dovecot gets updated, it will need to recalculate the
> > > 2048bit Diffie-Hellman ciphers. This can easily take several minutes,
> > > during which the polling of emails via IMAPS or POP3S is not possible.
> > > Please wait for it to finish. If you restart Dovecot during that period,
> > > it will recalculate the DH-ciphers again until it finally completes it.
> > > After that it will accept TLS connections just fine without a restart of
> > > the service.
> > > 
> > > As SSLv3 is now turned off for all services you might get the odd call
> > > from clients who are no longer able to connect to secure POP3, secure
> > > IMAP, secure FTP or maybe even to a webpage via HTTPS. Most likely they
> > > will be using Windows XP with some really old browsers (like IE6) or an
> > > ancient Outlook or similar, which don't support even TLSv1.0 and fall
> > > back to the compromised SSLv3 protocol, which we just disabled entirely.
> > > 
> > > Unless they upgrade they are out of luck. Windows XP is end of life and
> > > we will no longer cripple the security of our OS to accommodate them.
> > > 
> > > If you get such a report from a client that is *not* using Windows XP,
> > > please ask them to update their email client or browser or FTP client to
> > > the latest version and to check the connection settings. They might have
> > > to change their account settings to use TLS instead of SSLv3.
> > > 
> > > If you have problems with this updates, then please report them via the
> > > BlueOnyx General Mailing List by replying to this message.
> > > 
> > 
> > 
> > _______________________________________________
> > Blueonyx mailing list
> > Blueonyx at mail.blueonyx.it
> > http://mail.blueonyx.it/mailman/listinfo/blueonyx
> > 
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx

-- 



________________________________________________________________________


Bluapp AB
Rickard Osser
CTO
Solberga Ängsväg 3
125 44 Älvsjö
Sweden

More information about the Blueonyx mailing list