<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body><div>On Sat, Apr 12, 2014, at 01:17 AM, Ken Murchison wrote:<br></div>
<blockquote type="cite"><div>
All,<br></div>
<div> </div>
<div>
I'm sure you have all heard about the <a href="http://heartbleed.com/">Heartbleed</a> bug by now. If not,
you definitely need to read up on it and take appropriate action. <br></div>
<div> </div>
<div>
A Cyrus admin (not at CMU) has recently run the <a href="https://github.com/noxxi/p5-scripts/blob/master/check-ssl-heartbleed.pl">check-ssl-heartbleed</a>
script against his server which was using one of the effected
versions of OpenSSL and was easily able to capture usernames and
passwords, including the admin password.<br></div>
<div> </div>
<div>
Again, please check the versions of OpenSSL on your servers and
patch or upgrade them ASAP.<br></div>
</blockquote><div> </div>
<div>Note that if you just upgrade the openssl libraries, but don't reinstall your Cyrus binaries, then the system won't automatically restart daemons.<br></div>
<div> </div>
<div>You should manually restart Cyrus after you complete your upgrades.<br></div>
<div> </div>
<div>Finally, as Ken mentioned, if you have an SSL-enabled Cyrus listening to the internet, you admin password may have been stolen already. Upgrading OpenSSL won't stop future login attempts with that stolen password.<br></div>
<div> </div>
<div>You still need to change your admin password AFTER you have upgraded OpenSSL.<br></div>
<div> </div>
<div>Cheers,<br></div>
<div> </div>
<div>Bron.<br></div>
<div> </div>
<div id="sig567075"><div class="signature">-- <br></div>
<div class="signature"> Bron Gondwana<br></div>
<div class="signature"> brong@fastmail.fm<br></div>
<div class="signature"> </div>
</div>
</body>
</html>