Re: [exim] [heartbleedbug] unfortunately i missed the conver…

Top Page
Delete this message
Reply to this message
Author: Elrippo
Date:  
To: Phil Pennock
CC: exim-users
Subject: Re: [exim] [heartbleedbug] unfortunately i missed the conversation
Hy Phil.

Thank you very much, i am running GnuTLS and safe!
Thank you for your support :D

Kind regards,
elrippo

On 16. April 2014 04:37:22 MESZ, Phil Pennock <pdp@???> wrote:
>On 2014-04-15 at 21:14 +0200, Elrippo wrote:
>> Firstly i want to apologize for being late on that topic, but i
>missed the list on exim relevant precautions regarding exim4 running on
>an Ubuntu precise box.
>> I updated my box, and it is using the right and adviced openssl
>libraries.
>> Could you be so kind, to tell me -if there are any- what steps need
>to be taken to secure exim?
>
>Run:
>
>    exim -d -bV | less

>
>It will give you information about the compile-time and run-time
>versions of various libraries; on a box where Exim is using OpenSSL,
>this might be something like:
>
>----------------------------8< cut here
>>8------------------------------
>Library version: OpenSSL: Compile: OpenSSL 1.0.1e 11 Feb 2013
>                          Runtime: OpenSSL 1.0.1g 7 Apr 2014
>----------------------------8< cut here
>>8------------------------------

>
>If you're using standard Exim packages on Ubuntu, then there's nothing
>to do, because Exim will be using GnuTLS instead of OpenSSL, so
>Heartbleed was not an issue for you:
>----------------------------8< cut here
>>8------------------------------
>Library version: GnuTLS: Compile: 2.12.14
>                         Runtime: 2.12.14
>----------------------------8< cut here
>>8------------------------------

>
>If you are using a custom Exim build using OpenSSL, but using the
>system
>OpenSSL libraries, then it's highly likely that you're using an OpenSSL
>which was patched without changing the run-time reported version
>number.
>Worse, Exim just reports the basic version string, not the build
>timestamp, so you can't prove directly that a new Exim process is using
>the correct library. But if only one OpenSSL library is installed, and
>"lsof -c exim4" shows that the library file mmap'd into the Exim
>address-space is the correct path (and not some other OpenSSL which
>you'd forgotten about) then you should be good. Make sure to restart
>Exim after updating OpenSSL.
>
>Regards,
>-Phil


--