Heartbleed: dovecot2 is still vulnerable after upgrade of OpenSSL library
Clemens Lang
cal at macports.org
Mon Apr 28 06:45:13 PDT 2014
Hi Winfried
> I reinstalled dovecot from the MacPorts packages server but to no avail. The
> vulnerability is still there.
OK, so we know it's not a statically linked OpenSSL (at least not in dovecot, it
might still be in one of dovecot's dependencies). Since those are only libiconv,
zlib and, well, openssl in the default configuration that seems unlikely aswell.
Are you using any variants for your dovecot installation?
Maybe the test script you're using has a bug. Try using a different script
(although I doubt that'll help).
> - I safe-booted the machine and the vulnerability is *gone*. Of course this
> is no option in real life
OK, that points to some library linking/loading issue -- something that possibly
affects how the loader behaves. I thought we had rules this one out using
DYLD_PRINT_LIBRARY_PATH, though.
> To summerize:
> - dovecot is vulnerable on my system regardless whether the binaries are
> build via MacPort or via the original tarballs.
> - apache is not vulnerable using the same OpenSSL library.
> - dovecot is not vulnerable if the machine is safe-booted.
> This is all really weird.
I don't think I can help any further at this point. I'd suggest you take this
upstream to the developers of dovecot2 -- maybe they know something about how
openssl is used in their software that might shed some light on the problem.
--
Clemens Lang
More information about the macports-users
mailing list