Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » CVE-2014-0160 / OpenSSL Heartbleed (When will you have a patch for OpenSSL Heartbleed?)
  •  
markm

Messages: 2
Karma: 0
Send a private message to this user
It appears that Kerio Connect has a bundled version of OpenSSL that is vulnerable to CVE-2014-0160.

I have run a scanner on my mail server and even though I updated the installed openssl I am still vulnerable because of the bundled openssl.

When will there be an update that addresses this?
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
  •  
bmdv

Messages: 110

Karma: 0
Send a private message to this user
  •  
b-tom

Messages: 177
Karma: 4
Send a private message to this user
  •  
Marko Engelmann (TESIS)

Messages: 14
Karma: 0
Send a private message to this user
Hi,
to stress this point: The exact question was "WHEN" ?

  •  
campodoro74

Messages: 119
Karma: 0
Send a private message to this user
Dobry, this update is coming TODAY ?
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
All updates will be posted at http://forums.kerio.com/t/27043//

We are working on a hotfix and it should be available in 24 hours. We are trying to speed up the whole release process and necessary testing to the maximum. Thank you for understanding.
  •  
campodoro74

Messages: 119
Karma: 0
Send a private message to this user
Excellent, thank you for your prompt reply !
  •  
artanis

Messages: 1
Karma: 0
Send a private message to this user
I can get addmin session id / mail thread / mail names and other.

[Updated on: Tue, 08 April 2014 14:09]

  •  
hugge

Messages: 2
Karma: -2
Send a private message to this user
Yes.

It is possible to read any emails, get any admin session or whatever from all of our kerio-installations. From anywhere. Not cool to have ssl bundled into the application instead of running the system-wide version of SSL.

Wonder who have read all of our emails the last year or so? Guess we will never know.
  •  
Jeeves_

Messages: 22

Karma: 4
Send a private message to this user
Please note that both Control and Operator are affected too..

I've just been reading some of my emails via this bug. I prefer to just use my Thunderbird. Plz hurry up with the update..

Offering Kerio and much more. See http://www.tuxis.nl and http://www.kerioindecloud.nl/
  •  
mwd

Messages: 67
Karma: 1
Send a private message to this user
Yeah it is pretty bad, all our debian servers have been updated but I can still read email on any kerio server out there Sad

There is also no point revoking and changing our passwords until we have patched/updated all applications with this issue, so we must wait while our private keys might be getting copied Sad Sad

[Updated on: Tue, 08 April 2014 15:30]

  •  
Maerad

Messages: 158
Karma: 31
Send a private message to this user
Please try to keep your calm - I'm sure they're working on the bug with full priority. Try to keep in mind, that kerio is used in many production environments and even with a catastrophic bug like that one, the fix has to be tested.

They can't just copy the new files into the installer and done. I prefer a fix that is at least tested with the most configs then a fast one that disables half the system or deletes something.

For now I've shutted down kerio (glad work day just ended) and our backup mail server (hmailserver, also has the tls bug but here I disabled SSL for the duration the fix needs) receives all mails.

And after the fix I have to create all certs anew and force a reset for the user passwords. wohooo :3
  •  
markm

Messages: 2
Karma: 0
Send a private message to this user
The bug can be patched by adding a flag to open ssl during compile to disable heartbeat.

No one should be calm because this should be done already.

I stayed up all night last night patching customers' servers.

Marko Engelmann (TESIS)

Messages: 14
Karma: 0
Send a private message to this user
Yes - and in defence of kerio: The "custom" openssl-library made features like PFS and elliptic curve encryption possible - which are not available using the OS-supplied libraries on some supported platforms.

Thats the sad part of this issue: You are getting punished for using a state-of-the-art library - to provide features the customers (we!) where calling for...

[Updated on: Tue, 08 April 2014 17:15]

Previous Topic: IMPORTANT: Download servers issue [RESOLVED]
Next Topic: OS X 10.9 Mavericks and Kerio Connect
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Oct 17 13:43:26 CEST 2017

Total time taken to generate the page: 0.00507 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.