[kwlug-disc] Heartbleed OpenSSL bug

CrankyOldBugger crankyoldbugger at gmail.com
Tue Apr 8 20:42:43 EDT 2014


I got the same 1.0.1e when I upgraded this morning on my 13.10.


On 8 April 2014 19:38, Bob Jonkman <bjonkman at sobac.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 14-04-08 12:09 PM, CrankyOldBugger wrote:
> > I just ran apt-get update && apt-get dist-upgrade on my Ubuntu
> > 13.10 laptop and saw both openSSL client and server in the mix, so,
> > as stated by the OP, fixes are out there...
>
> I too saw OpenSSL patches come in before I even knew there was a
> problem. But I still get this, even after a reboot:
>
> > Ubuntu 12.04.4:
> >> openssl version
> > OpenSSL 1.0.1 14 Mar 2012
> >
> > Ubuntu 13.10, Linux Mint 16 Petra, and Linux Mint Debian Edition
> >> openssl version
> > OpenSSL 1.0.1e 11 Feb 2013
>
> Those dates appear too old for an upgrade released yesterday.
>
> According to  http://www.ubuntu.com/usn/usn-2165-1/ these are the
> correct package versions for the patched OpenSSL:
>
> > Ubuntu 13.10: libssl1.0.0 1.0.1e-3ubuntu1.2 Ubuntu 12.10:
> > libssl1.0.0 1.0.1c-3ubuntu2.7 Ubuntu 12.04 LTS: libssl1.0.0
> > 1.0.1-4ubuntu5.12
>
> The version numbers my servers match those of Ubunutu, but according
> to http://heartbleed.com these are the affected versions:
>
> > * OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable * OpenSSL
> > 1.0.1g is NOT vulnerable * OpenSSL 1.0.0 branch is NOT vulnerable *
> > OpenSSL 0.9.8 branch is NOT vulnerable
>
> I tend to believe the Ubuntu information, who orginated the patch but
> may not have incremented the alphabetic suffix in the version. So I
> think my servers are patched, even though they display vulnerable
> version numbers.
>
> And Khalid's python script only works against Web servers, not XMPP or
> mail servers (which are equally vulnerable).  The online test at
> http://filippo.io/Heartbleed/ gives no results at all for XMPP.
>
> - --Bob.
>
>
> On 14-04-08 12:09 PM, CrankyOldBugger wrote:
> > I just ran apt-get update && apt-get dist-upgrade on my Ubuntu
> > 13.10 laptop and saw both openSSL client and server in the mix, so,
> > as stated by the OP, fixes are out there...
> >
> >
> >
> > On 8 April 2014 11:54, Adam Glauser <adamglauser at gmail.com> wrote:
> >
> >> On Tue, Apr 8, 2014 at 11:40 AM, L.D. Paniak
> >> <ldpaniak at fourpisolutions.com
> >>> wrote:
> >>
> >>> As many of you already know, there is a critical flaw in
> >>> OpenSSL versions 1.0.1-1.0.1f (and 1.0.2beta) which allows for
> >>> attackers to access server (and client) memory.
> >>
> >>
> >> Regarding client software: You can check Cygwin systems as
> >> follows: `cygcheck -l | grep cygssl` Firefox and Chrome/Chromium
> >> use NSS instead of OpenSSL, so are not vulnerable.
> >>
> >> Also, there is a command-line tester tool you can use to check
> >> your sites. [1] There is also a web tester at
> >> http://filippo.io/Heartbleed/, though it seems to be having load
> >>  problems (surprise!).
> >>
> >> Does anyone know if Android apps typically provide their own SSL
> >>  implementation? That is, does each app need updating?
> >>
> >> [1] https://github.com/FiloSottile/Heartbleed
>
>
> Bob Jonkman <bjonkman at sobac.com>          Phone: +1-519-669-0388
> SOBAC Microcomputer Services             http://sobac.com/sobac/
> http://bob.jonkman.ca/blogs/    http://sn.jonkman.ca/bobjonkman/
> Software   ---   Office & Business Automation   ---   Consulting
> GnuPG Fngrprnt:04F7 742B 8F54 C40A E115 26C2 B912 89B0 D2CC E5EA
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.14 (GNU/Linux)
> Comment: Ensure confidentiality, authenticity, non-repudiability
>
> iEYEARECAAYFAlNEiHkACgkQuRKJsNLM5epYaQCgoBV07xYrbKtRkBZfCnaHsyZy
> fRkAoN9X3I0Uvk7O/2Oz+8Z0Sglip+du
> =B07t
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20140408/3a494e69/attachment-0001.html>


More information about the kwlug-disc mailing list