Heartbleed: dovecot2 is still vulnerable after upgrade of OpenSSL library

Mon Apr 21 06:05:16 PDT 2014

Hi Clemens,

thank you for your quick response. But I’m not sure whether you are right. 

I forced a rebuild of first the OpenSSL library  and then of dovecot. I already posted the result. According to your proposition this should have solved the issue. But it didn’t.

dovecot2 does link the current OpenSSL library dynamically. You have to look not only at the dovecot2 binary, but at the following ones:
——————
$ find /opt/local/libexec/dovecot/  -exec "file" {} \; -print | grep "Mach-O 64-bit executable" | cut -d " " -f 1 | sed "s/://g" | xargs otool -L
——————
After some further cleaning up, the result is:
—> ./imap-login
—> ./imap-urlauth-login
—> ./pop3-login
—> ./ssl-params

They all use the same OpenSSl library:
————
/opt/local/lib/libssl.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)
————

And this is the right one according to MacPort:
————— 
$ port  /opt/local/bin/port contents openssl @1.0.1g_0 | grep -E "ssl.*(a|dylib)$“
 ————— 
—> /opt/local/lib/libssl.1.0.0.dylib
—> /opt/local/lib/libssl.dylib -> libssl.1.0.0.dylib
————— 

Thus the sequential rebuild of OPenSSL and dovecot doesn’t solve the problem I’m afraid.

Regards,
		Winfried

> Hi,
> 
>> I use the following version of dovecot2 and OpenSSL:
>> 
>> --------
>> $ port installed | egrep "dovecot|openssl"
>> --------
>> -->  dovecot2 @2.2.12_0 (active)
>> -->  openssl @1.0.1g_0 (active)
>> 
>> I attack the dovecot server:
>> --------
>> $ ./cardiac-arrest.py  -a -p 993 localhost | grep -i fail
>> --------
>> --> [FAIL] Heartbeat response was 16384 bytes instead of 3! 127.0.0.1:993 is
>> vulnerable over SSLv3
>> --> [FAIL] Heartbeat response was 16384 bytes instead of 3! 127.0.0.1:993 is
>> vulnerable over TLSv1.0
>> --> [FAIL] Heartbeat response was 16384 bytes instead of 3! 127.0.0.1:993 is
>> vulnerable over TLSv1.1
>> --> [FAIL] Heartbeat response was 16384 bytes instead of 3! 127.0.0.1:993 is
>> vulnerable over TLSv1.2
>> 
>> What I have to do in order to get rid of the heartbleed vulnerability of my
>> dovecot imap server?
> 
> For some reason beyond my understanding, dovecot builds only a static library
> for the module it apparently uses to implement SSL support with OpenSSL. This
> module is /opt/local/lib/dovecot/libssl_iostream_openssl.a and statically links
> against OpenSSL (i.e. it copies the code from libssl.a at the time of the
> dovecot2 build). This means we need to rebuild dovecot2 every time a bug is
> fixed in OpenSSL to get the fix into dovecot2.
> 
> For precisely the reason of problems going by unnoticed I think not linking
> openssl dynamically is a bad decision by the authors of dovecot2. If you have
> the time, please file a ticket upstream and ask them to link against OpenSSL
> dynamically to simplify security updates.
> 
> I have bumped the revision of dovecot2 to force a rebuild in r119239 [1] and
> added a note to the OpenSSL Portfile [2] to avoid missing this the next time.
> 
> [1] https://trac.macports.org/changeset/119239
> [2] https://trac.macports.org/changeset/119240
> 
> -- 
> Clemens Lang