YUM Updates - IMPORTANT
YUM updates for all versions of BlueOnyx have been published.
The following YUM updates have just been published for BlueOnyx 5106R, 5107R, 5108R, 5207R and 5208R:
They deal with the recently announced Pootle SSLv3 vulnerability and turn off SSLv3 support for the services AdmServ (GUI), Apache, POP3/IMAP and FTP.
Dovecot was updated to version 2.2.15 on all BlueOnyx versions. On 5106R it supports only TLSv1.0, as the underlying OpenSSL is too old. On all other BlueOnyx versions it supports TLSv1.2, TLSv1.1 and TLSv1.0.
ProFTPD was also updated to the latest version (v1.3.5), which (finally!) handles TLSv1.2 as well as TLSv1.1 and TLSv1.0. But as before: On BlueOnyx 5106R only TLSv1.0 is available due to the ancient OpenSSL version that ships with CentOS5.
Caveats: This is a somewhat massive and intrusive update. Especially so on 5106R, where we went from Dovecot 1.1.8 straight to the latest available version. When Dovecot gets installed, it will need to recalculate the 2048bit Diffie-Hellman ciphers. This can easily take several minutes, during which the polling of emails via IMAPS or POP3S is not possible. Please wait for it to finish. If you restart Dovecot during that period, it will recalculate the DH-ciphers again until it finally completes it. After that it will accept TLS connections just fine without a restart of the service.
As SSLv3 is now turned off for all services you might get the odd call from clients who are no longer able to connect to POP3, IMAP, FTP or maybe even to a webpage via HTTPS. Most likely they will be using Windows XP with some really old browsers (like IE6) or an ancient Outlook or similar, which don't support even TLSv1.0 and fall back to the compromised SSLv3 protocol, which we just disabled entirely.
Unless they upgrade they are out of luck. Windows XP is end of life and we will no longer cripple the security of our OS to accommodate them.
If you get such a report from a client that is not using Windows XP, please ask them to update their email client or browser or FTP client to the latest version and to check the connection settings. They might have to change their account settings to use TLS instead of SSLv3.
If you have problems with this updates, then please report them via the BlueOnyx General Mailing List.
UPDATE #1 (30th October 2014 - 11:12 UTC):
Reports have been flooding in about issues with these updates. So more updates have just been published. If you have problems after the YUM update from last night, run "yum clean all" and "yum update" as "root" from SSH to get the latest updates.
Dovecot (all BlueOnyx versions):
Another update of Dovecot now modifies /etc/dovecot/dovecot.conf and sets "listen = *" to only listen on IPv4 interfaces as suggested by Dirk Estenfeld. Afterwards Dovecot is restarted and should work fine. Typically all BlueOnyx should have IPv6 disabled, but apparently there are some builds in the wild where this is not the case. Hence we did have these problems there, while it works fine on others.
However: I have separate reports that "IMAP idle" might have issues. I'm yet trying to find out if that affects all versions or just a specific type of BlueOnyx.
base-apache-* (5207R/5208R only):
After the last update it's possible that the PHP Vsite settings got lost, causing "open_basedir" issues on Vsites with PHP or suPHP enabled. This update fixes this. Only affects 5207R/5208R, as the SSL implementation is different there.
UPDATE #2 (30th October 2014 - 14:15 UTC):
Dovecot (all BlueOnyx versions):
Yet another Dovecot (v2.2.15-1BX04) has been released for all BlueOnyx version, which fixes the following issues:
- IMAP idle issue
- Kills/restarts of Dovecot every minute on OpenVZ VPS's.
- MySQL dependency issues on yum updates with updated MySQL PKGs installed.
UPDATE #3 (30th October 2014 - 20:00 UTC):
ProFTPd (all BlueOnyx versions):
An updated Proftpd (v1.3.5-1BX3) has been released for all BlueOnyx version, which fixes the following issues:
- Regular FTP not working
- Switches secure FTPS to a separate ProFTPd config file (/etc/proftpds.conf)
To get fully updated, please run this as "root" from SSH:
yum clean all