Heartbleed: dovecot2 is still vulnerable after upgrade of OpenSSL library

Winfried Dietmayer Winfried.Dietmayer at t-online.de
Wed Apr 23 02:41:30 PDT 2014 

Hi Clemens,

> Instead, please set `import_environment = DYLD_PRINT_LIBRARIES` in
> your

> dovecot.conf and restart dovecot with

> $> sudo env DYLD_PRINT_LIBRARIES=1 dovecot -F.

It looks the same here:

--------

Apr 23 10:55:55 Winfrieds-XXXX.local dovecot[66453]: imap-login:
Error: dyld: loaded: /opt/local/lib/libssl.1.0.0.dylib

Apr 23 10:55:55 Winfrieds-XXXX.local dovecot[66453]: imap-login:
Error: dyld: loaded: /opt/local/lib/libcrypto.1.0.0.dylib

--------

> If the path is the same, please run

> $> strings /opt/local/lib/libssl.1.0.0.dylib | grep 'OpenSSL'

> and paste the output. It should contain five lines with the
> version
number

> at 1.0.1g.

Here my result:

--------

OpenSSL 1.0.1g 7 Apr 2014

SSLv2 part of OpenSSL 1.0.1g 7 Apr 2014

SSLv3 part of OpenSSL 1.0.1g 7 Apr 2014

TLSv1 part of OpenSSL 1.0.1g 7 Apr 2014

DTLSv1 part of OpenSSL 1.0.1g 7 Apr 2014

--------

Thanks & Regards,

Winfried

P.S.: Message resent.



ON 22.04.2014 21:23, Clemens Lang wrote:
> Hi Winfried,
> 
>>> What's the output of `sudo env DYLD_PRINT_LIBRARIES=1 dovecot
>>> -F` on your system?
> 
> I should have realized not even the output on my system for that
> command referenced libssl.dylib or libcrypto.dylib…
> 
> Instead, please set `import_environment = DYLD_PRINT_LIBRARIES` in
> your dovecot.conf and restart dovecot with $> sudo env
> DYLD_PRINT_LIBRARIES=1 dovecot -F. Then, run cardiac-arrest.py and
> check your dovecot logfile. It should contain the lines printed by
> the loader due to the DYLD_* variable. Mine looks like this:
> 
> Apr 22 21:16:25 cSchlepptop.local dovecot[4788]: imap-login: Error:
> dyld: loaded: /opt/local/lib/libssl.1.0.0.dylib Apr 22 21:16:25
> cSchlepptop.local dovecot[4788]: imap-login: Error: dyld: loaded:
> /opt/local/lib/libcrypto.1.0.0.dylib
> 
> If the path is different for you we have found the problem. If it
> is missing completely, OpenSSL was likely statically linked, and
> we've also found the problem (even though we still wouldn't know
> why the rebuild didn't fix it).
> 
> If the path is the same, please run $> strings
> /opt/local/lib/libssl.1.0.0.dylib | grep 'OpenSSL' and paste the
> output. It should contain five lines with the version number at
> 1.0.1g.
> 
> HTH,
>

More information about the macports-users mailing list