[kwlug-disc] Heartbleed OpenSSL bug

Bob Jonkman bjonkman at sobac.com
Tue Apr 8 19:38:34 EDT 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 14-04-08 12:09 PM, CrankyOldBugger wrote:
> I just ran apt-get update && apt-get dist-upgrade on my Ubuntu
> 13.10 laptop and saw both openSSL client and server in the mix, so,
> as stated by the OP, fixes are out there...

I too saw OpenSSL patches come in before I even knew there was a
problem. But I still get this, even after a reboot:

> Ubuntu 12.04.4:
>> openssl version
> OpenSSL 1.0.1 14 Mar 2012
> 
> Ubuntu 13.10, Linux Mint 16 Petra, and Linux Mint Debian Edition
>> openssl version
> OpenSSL 1.0.1e 11 Feb 2013

Those dates appear too old for an upgrade released yesterday.

According to  http://www.ubuntu.com/usn/usn-2165-1/ these are the
correct package versions for the patched OpenSSL:

> Ubuntu 13.10: libssl1.0.0 1.0.1e-3ubuntu1.2 Ubuntu 12.10: 
> libssl1.0.0 1.0.1c-3ubuntu2.7 Ubuntu 12.04 LTS: libssl1.0.0
> 1.0.1-4ubuntu5.12

The version numbers my servers match those of Ubunutu, but according
to http://heartbleed.com these are the affected versions:

> * OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable * OpenSSL
> 1.0.1g is NOT vulnerable * OpenSSL 1.0.0 branch is NOT vulnerable *
> OpenSSL 0.9.8 branch is NOT vulnerable

I tend to believe the Ubuntu information, who orginated the patch but
may not have incremented the alphabetic suffix in the version. So I
think my servers are patched, even though they display vulnerable
version numbers.

And Khalid's python script only works against Web servers, not XMPP or
mail servers (which are equally vulnerable).  The online test at
http://filippo.io/Heartbleed/ gives no results at all for XMPP.

- --Bob.


On 14-04-08 12:09 PM, CrankyOldBugger wrote:
> I just ran apt-get update && apt-get dist-upgrade on my Ubuntu
> 13.10 laptop and saw both openSSL client and server in the mix, so,
> as stated by the OP, fixes are out there...
> 
> 
> 
> On 8 April 2014 11:54, Adam Glauser <adamglauser at gmail.com> wrote:
> 
>> On Tue, Apr 8, 2014 at 11:40 AM, L.D. Paniak 
>> <ldpaniak at fourpisolutions.com
>>> wrote:
>> 
>>> As many of you already know, there is a critical flaw in
>>> OpenSSL versions 1.0.1-1.0.1f (and 1.0.2beta) which allows for 
>>> attackers to access server (and client) memory.
>> 
>> 
>> Regarding client software: You can check Cygwin systems as 
>> follows: `cygcheck -l | grep cygssl` Firefox and Chrome/Chromium 
>> use NSS instead of OpenSSL, so are not vulnerable.
>> 
>> Also, there is a command-line tester tool you can use to check 
>> your sites. [1] There is also a web tester at 
>> http://filippo.io/Heartbleed/, though it seems to be having load
>>  problems (surprise!).
>> 
>> Does anyone know if Android apps typically provide their own SSL
>>  implementation? That is, does each app need updating?
>> 
>> [1] https://github.com/FiloSottile/Heartbleed


Bob Jonkman <bjonkman at sobac.com>          Phone: +1-519-669-0388
SOBAC Microcomputer Services             http://sobac.com/sobac/
http://bob.jonkman.ca/blogs/    http://sn.jonkman.ca/bobjonkman/
Software   ---   Office & Business Automation   ---   Consulting
GnuPG Fngrprnt:04F7 742B 8F54 C40A E115 26C2 B912 89B0 D2CC E5EA


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Ensure confidentiality, authenticity, non-repudiability

iEYEARECAAYFAlNEiHkACgkQuRKJsNLM5epYaQCgoBV07xYrbKtRkBZfCnaHsyZy
fRkAoN9X3I0Uvk7O/2Oz+8Z0Sglip+du
=B07t
-----END PGP SIGNATURE-----





More information about the kwlug-disc mailing list