Heartbleed: dovecot2 is still vulnerable after upgrade of OpenSSL library
René J.V. Bertin
rjvbertin at gmail.com
Mon Apr 28 08:39:57 PDT 2014
On Monday April 28 2014 15:45:13 Clemens Lang wrote:
> Hi Winfried
>
> > I reinstalled dovecot from the MacPorts packages server but to no avail. The
> > vulnerability is still there.
[...]
>
> > To summerize:
> > - dovecot is vulnerable on my system regardless whether the binaries are
> > build via MacPort or via the original tarballs.
> > - apache is not vulnerable using the same OpenSSL library.
> > - dovecot is not vulnerable if the machine is safe-booted.
> > This is all really weird.
I haven't read the whole thread in detail, so surely this has been done already - did you check what openssl binary gets loaded (or more generally, what files get loaded, for instance using lsof) by dovecot and/or apache, in regular vs. safeboot mode?
The first thought your symptoms above evoke is that you have a vulnerable library hanging around that gets loaded instead of the uptodate version when you've booted normally.
R
More information about the macports-users
mailing list