Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Openssl problem
  •  
urban.hake

Messages: 22
Karma: 0
Send a private message to this user
What is being done about this?

problem Description
The vulnerability in OpenSSL 1.0.1 (and 1.0.2-beta) can be used to read the private memory of the application protected with OpenSSL
and thus get hold of such keys from X.509 certificates, username and password.

solution
Upgrade to OpenSSL version 1.0.1g
  •  
  •  
  •  
vlada

Messages: 32
Karma: -3
Send a private message to this user
Pavel Dobry (Kerio) wrote on Tue, 08 April 2014 13:10
Already discussed ...


Sorry, there is no discussion, only a tensioned expectation.
  •  
Neil Whiteside (Kerio)

Messages: 318

Karma: 35
Send a private message to this user
All updates will be posted at http://forums.kerio.com/t/27043//

We are working on a hotfix and it should be available in 24 hours. We are trying to speed up the whole release process and necessary testing to the maximum. Thank you for understanding.

Knowledge Base: http://kb.kerio.com/.
Looking for technical support? http://www.kerio.com/support
  •  
hugge

Messages: 2
Karma: -2
Send a private message to this user
The exploit works great on our Kerio-installations. You can read emails, get session id´s and more or less dump everything the server handles. Huge problem. Please get a update *very* soon.

Why have openssl bundled instead of using the system openssl? Then this problem would have been solved 2hours after it got discovered.
  •  
Maerad

Messages: 158
Karma: 31
Send a private message to this user
Quote:
Why have openssl bundled instead of using the system openssl? Then this problem would have been solved 2hours after it got discovered.


Just think about for more then 2 seconds Smile

Kerio is made to run on many multiple systems. There are many different programs for SSL to be used, many different versions, many different configs. This way kerio can't work, because they don't know how the system might be configured or maybe some depencies are missing.

Also it wouldn't work with the "easy install" option, because you would have to install, config and link your local openssl installation. Not to mention, that most of the linked assistant systems in the menu might not work, because of a different config, paths and so on.

And don't let me get started in admins with less knowledge, that don't even know HOW to update something or edit a config in bash. Or how to use a specific openssl program version and not the newest for ubuntu.

If you want to provide a full working, configured and easy to install/use system, you are forced to include all important programs it needs. Simple as that.

Same goes for other projects that install each an own tomcat server and java version instead of using the system wide one.
  •  
Neil Whiteside (Kerio)

Messages: 318

Karma: 35
Send a private message to this user
The Hotfixes for Kerio Connect are available here:

http://goo.gl/filNif

[Updated on: Wed, 09 April 2014 13:31] by Moderator


Knowledge Base: http://kb.kerio.com/.
Looking for technical support? http://www.kerio.com/support
Previous Topic: Sophos AV not restarting after def. update
Next Topic: [IMPORTANT] OpenSSL-Bug > Reset PW + Cert after Install
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Aug 21 21:21:43 CEST 2017

Total time taken to generate the page: 0.00977 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.