[170758] in North American Network Operators' Group
RE: Serious bug in ubiquitous OpenSSL library: "Heartbleed"
daemon@ATHENA.MIT.EDU (David Hubbard)
Tue Apr 8 08:18:53 2014
Date: Tue, 8 Apr 2014 08:18:04 -0400
From: David Hubbard <dhubbard@dino.hostasaurus.com>
To: <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Don't forget to restart every daemon that was using the old library as
well, or just reboot.=20
-----Original Message-----
From: Peter Kristolaitis [mailto:alter3d@alter3d.ca]=20
Sent: Tuesday, April 08, 2014 1:19 AM
To: nanog@nanog.org
Subject: Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed"
Not just run the updates -- all private keys should be changed too, on
the assumption that they've been compromised already. THAT is going to
be the crappy part of this.
- Pete
On 4/8/2014 1:13 AM, David Hubbard wrote:
> RHEL and CentOS both have patches out as of a couple hours ago, so run
> those updates! CentOS' mirrors do not all have it yet, so if you are=20
> updating, make sure you get the
> 1.0.1e-16.el6_5.7 version and not older.
>
> David
>
> -----Original Message-----
> From: Paul Ferguson [mailto:fergdawgster@mykolab.com]
> Sent: Tuesday, April 08, 2014 1:07 AM
> To: NANOG
> Subject: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed"
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> I'm really surprised no one has mentioned this here yet...
>
> FYI,
>
> - - ferg
>
>
>
> Begin forwarded message:
>
>> From: Rich Kulawiec <rsk@gsp.org> Subject: Serious bug in ubiquitous=20
>> OpenSSL library: "Heartbleed" Date: April 7, 2014 at 9:27:40 PM EDT
>>
>> This reaches across many versions of Linux and BSD and, I'd presume,=20
>> into some versions of operating systems based on them.
>> OpenSSL is used in web servers, mail servers, VPNs, and many other=20
>> places.
>>
>> Writeup: Heartbleed: Serious OpenSSL zero day vulnerability revealed=20
>> http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerabilit
>> y
>> -revealed-7000028166/
>>
>> Technical details: Heartbleed Bug http://heartbleed.com/
>>
>> OpenSSL versions affected (from link just above): OpenSSL 1.0.1=20
>> through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT=20
>> vulnerable (released today, April 7, 2014) OpenSSL 1.0.0 branch is=20
>> NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable
>>
>
> - --
> Paul Ferguson
> VP Threat Intelligence, IID
> PGP Public Key ID: 0x54DC85B2
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iF4EAREIAAYFAlNDg9gACgkQKJasdVTchbIrAAD9HzKaElH1Tk0oIomAOoSOvfJf
> 3Dvt4QB54os4/yewQQ8A/0dhFZ/YuEdA81dkNfR9KIf1ZF72CyslSPxPvkDcTz5e
> =3DaAzE
> -----END PGP SIGNATURE-----
>
>
>
>
