Re: [exim] [heartbleedbug] unfortunately i missed the conver…

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Elrippo
CC: exim-users
Subject: Re: [exim] [heartbleedbug] unfortunately i missed the conversation
On 2014-04-15 at 21:14 +0200, Elrippo wrote:
> Firstly i want to apologize for being late on that topic, but i missed the list on exim relevant precautions regarding exim4 running on an Ubuntu precise box.
> I updated my box, and it is using the right and adviced openssl libraries.
> Could you be so kind, to tell me -if there are any- what steps need to be taken to secure exim?


Run:

    exim -d -bV | less


It will give you information about the compile-time and run-time
versions of various libraries; on a box where Exim is using OpenSSL,
this might be something like:

----------------------------8< cut here >8------------------------------
Library version: OpenSSL: Compile: OpenSSL 1.0.1e 11 Feb 2013
                          Runtime: OpenSSL 1.0.1g 7 Apr 2014
----------------------------8< cut here >8------------------------------


If you're using standard Exim packages on Ubuntu, then there's nothing
to do, because Exim will be using GnuTLS instead of OpenSSL, so
Heartbleed was not an issue for you:
----------------------------8< cut here >8------------------------------
Library version: GnuTLS: Compile: 2.12.14
                         Runtime: 2.12.14
----------------------------8< cut here >8------------------------------


If you are using a custom Exim build using OpenSSL, but using the system
OpenSSL libraries, then it's highly likely that you're using an OpenSSL
which was patched without changing the run-time reported version number.
Worse, Exim just reports the basic version string, not the build
timestamp, so you can't prove directly that a new Exim process is using
the correct library. But if only one OpenSSL library is installed, and
"lsof -c exim4" shows that the library file mmap'd into the Exim
address-space is the correct path (and not some other OpenSSL which
you'd forgotten about) then you should be good. Make sure to restart
Exim after updating OpenSSL.

Regards,
-Phil