1 Topic by brody_ross

  • brody_ross
  • Member
  • Offline
  • Registered: 2015-05-24
  • Posts: 4

Topic: vunreabilities in iredmail new install

I have installed iredmail 0.9.1 and found some security vulnerability:


* OpenSSL Running Version Prior to 1.0.1i

1- Apache Running Version Prior to 2.4.12
2- OpenSSL Running Version Prior to 1.0.1j (POODLE)
3- Apache Running Version Prior to 2.4.8
4- Apache NULL Pointer Dereference DoS
5- Apache Running Version Prior to 2.4.10
6- OpenSSL Running Version Prior to 1.0.1h

*Low
1- OpenSSL Version Detection
2- IMAP Service STARTTLS Command Support
3- SMTP Service STARTTLS Command Support
4- TCP Timestamps Retrieval
5- HTTP Packet Inspection
6- HTTP TRACE Method XSS Vulnerability
7- Directory Scanner
8- ICMP Timestamp Request




How do I update Apache and openSSL, etc?


==== Required information ====
- iRedMail version: 0.9.1
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): mysql
- Web server (Apache or Nginx): apache
- Linux/BSD distribution name and version: lunix
- Related log if you're reporting an issue: security
====

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: vunreabilities in iredmail new install

iRedMail doesn't build packages for Apache/openssl, to keep packages installed on your up to date, you should run tool like 'yum/apt-get' to update packages. If your Linux/BSD vendor doesn't provide newer packages, please either wait for your vendor, or ask them.

3 Reply by brody_ross

  • brody_ross
  • Member
  • Offline
  • Registered: 2015-05-24
  • Posts: 4

Re: vunreabilities in iredmail new install

centos 7 does not come pre installed with Apache..  you control what version of Apache is installed during installation

4 Reply by 7t3chguy

  • 7t3chguy
  • 7t3chguy
  • Forum Moderator
  • Offline
  • From: United Kingdom
  • Registered: 2015-01-08
  • Posts: 713

Re: vunreabilities in iredmail new install

iRedMail simply runs the default package manager in CentOS, which happens to be YUM and fetches the latest version available from the repos that your system had been configured for, if you wish for never versions - find repositories that support your distro and serve these newer versions, then YUM update, upgrade etc and everything will work as you'd like

7t3chguy's Website