Heartbleed: dovecot2 is still vulnerable after upgrade of OpenSSL library

[Clemens Lang]

Hi Winfried,

> --------
> Apr 23 10:55:55 Winfrieds-XXXX.local dovecot[66453]: imap-login:
> Error: dyld: loaded: /opt/local/lib/libssl.1.0.0.dylib
> Apr 23 10:55:55 Winfrieds-XXXX.local dovecot[66453]: imap-login:
> Error: dyld: loaded: /opt/local/lib/libcrypto.1.0.0.dylib
> --------

> --------
> OpenSSL 1.0.1g 7 Apr 2014
> SSLv2 part of OpenSSL 1.0.1g 7 Apr 2014
> SSLv3 part of OpenSSL 1.0.1g 7 Apr 2014
> TLSv1 part of OpenSSL 1.0.1g 7 Apr 2014
> DTLSv1 part of OpenSSL 1.0.1g 7 Apr 2014
> --------

OK, so your dovecot uses the correct OpenSSL library and that library
is a version that shouldn't be vulnerable to the heartbleed issue.
That leaves a few other things to rule out:
 - Dovecot still has an old copy of OpenSSL embedded that it uses for
   those places that handle the TLS connection. I think that one is
   unlikely given that you did rebuild dovecot and that it has been
   revbumped. Nevertheless you should be able to rule it out by
   re-installing dovecot from the binary archives that are now
   available on the packages server. That would give you the exact
   binary I've been using, which wasn't vulnerable on my system.
 - The port you're testing is not actually being served by the dovecot
   instance we've been looking at. Please verify that you're actually
   testing the correct dovecot instance by stopping all possible
   dovecot servers, starting one manually using
     $> sudo /opt/local/sbin/dovecot -F
   and checking that it is the one listening on the port you test using
     $> lsof -i tcp:$port

You could also try running another SSL-enabled service using the same
OpenSSL version (e.g. apache2 from MacPorts) and check if that is
vulnerable to heartbleed.

-- 
Clemens Lang