Heartbleed: dovecot2 is still vulnerable after upgrade of OpenSSL library

[Clemens Lang]

Hi,

> I use the following version of dovecot2 and OpenSSL:
> 
> --------
> $ port installed | egrep "dovecot|openssl"
> --------
> -->  dovecot2 @2.2.12_0 (active)
> -->  openssl @1.0.1g_0 (active)
> 
> I attack the dovecot server:
> --------
> $ ./cardiac-arrest.py  -a -p 993 localhost | grep -i fail
> --------
> --> [FAIL] Heartbeat response was 16384 bytes instead of 3! 127.0.0.1:993 is
> vulnerable over SSLv3
> --> [FAIL] Heartbeat response was 16384 bytes instead of 3! 127.0.0.1:993 is
> vulnerable over TLSv1.0
> --> [FAIL] Heartbeat response was 16384 bytes instead of 3! 127.0.0.1:993 is
> vulnerable over TLSv1.1
> --> [FAIL] Heartbeat response was 16384 bytes instead of 3! 127.0.0.1:993 is
> vulnerable over TLSv1.2
> 
> What I have to do in order to get rid of the heartbleed vulnerability of my
> dovecot imap server?

For some reason beyond my understanding, dovecot builds only a static library
for the module it apparently uses to implement SSL support with OpenSSL. This
module is /opt/local/lib/dovecot/libssl_iostream_openssl.a and statically links
against OpenSSL (i.e. it copies the code from libssl.a at the time of the
dovecot2 build). This means we need to rebuild dovecot2 every time a bug is
fixed in OpenSSL to get the fix into dovecot2.

For precisely the reason of problems going by unnoticed I think not linking
openssl dynamically is a bad decision by the authors of dovecot2. If you have
the time, please file a ticket upstream and ask them to link against OpenSSL
dynamically to simplify security updates.

I have bumped the revision of dovecot2 to force a rebuild in r119239 [1] and
added a note to the OpenSSL Portfile [2] to avoid missing this the next time.

[1] https://trac.macports.org/changeset/119239
[2] https://trac.macports.org/changeset/119240

-- 
Clemens Lang