[170767] in North American Network Operators' Group
Re: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed"
daemon@ATHENA.MIT.EDU (Steve Clark)
Tue Apr 8 12:21:40 2014
Date: Tue, 08 Apr 2014 12:18:31 -0400
From: Steve Clark <sclark@netwolves.com>
To: Jonathan Lassoff <jof@thejof.com>
In-Reply-To: <CAHsqw9t+kfSvYJxDMS2CbEEZZ-8-sFTg-3chngNq6+BxCphh4w@mail.gmail.com>
X-Securence-RFC2821-MAIL-FROM: sclark@netwolves.com
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
According to the changelog it cvs is fixed now.
$ rpm -qa|grep openssl
openssl-1.0.1e-16.el6_5.7.x86_64
openssl-devel-1.0.1e-16.el6_5.7.x86_64
Tue Apr 8 12:17:25 EDT 2014
Z643357:~
$ rpm -q --changelog openssl | less
* Mon Apr 07 2014 Tom=E1s( Mr=E1z <tmraz@redhat.com> 1.0.1e-16.7
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
On 04/08/2014 12:11 PM, Jonathan Lassoff wrote:
> For testing, I've had good luck with
> https://github.com/titanous/heartbleeder and
> https://gist.github.com/takeshixx/10107280
>
> Both are mostly platform-independent, so they should be able to work ev=
en
> if you don't have a modern OpenSSL to test with.
>
> Cheers and good luck (you're going to need it),
> jof
>
> On Tue, Apr 8, 2014 at 5:03 PM, Michael Thomas <mike@mtcc.com> wrote:
>
>> Just as a data point, I checked the servers I run and it's a good thin=
g I
>> didn't reflexively update them first.
>> On Centos 6.0, the default openssl is 1.0.0 which supposedly doesn't h=
ave
>> the vulnerability, but the
>> ones queued up for update do. I assume that redhat will get the patche=
d
>> version soon but be careful!
>>
>> Mike
>>
>>
>> On 04/07/2014 10:06 PM, Paul Ferguson wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA256
>>>
>>> I'm really surprised no one has mentioned this here yet...
>>>
>>> FYI,
>>>
>>> - - ferg
>>>
>>>
>>>
>>> Begin forwarded message:
>>>
>>> From: Rich Kulawiec <rsk@gsp.org> Subject: Serious bug in
>>>> ubiquitous OpenSSL library: "Heartbleed" Date: April 7, 2014 at
>>>> 9:27:40 PM EDT
>>>>
>>>> This reaches across many versions of Linux and BSD and, I'd
>>>> presume, into some versions of operating systems based on them.
>>>> OpenSSL is used in web servers, mail servers, VPNs, and many other
>>>> places.
>>>>
>>>> Writeup: Heartbleed: Serious OpenSSL zero day vulnerability
>>>> revealed
>>>> http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerabili=
ty-
>>>> revealed-7000028166/
>>>>
>>>> Technical details: Heartbleed Bug http://heartbleed.com/
>>>>
>>>> OpenSSL versions affected (from link just above): OpenSSL 1.0.1
>>>> through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT
>>>> vulnerable (released today, April 7, 2014) OpenSSL 1.0.0 branch is
>>>> NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable
>>>>
>>>>
>>> - -- Paul Ferguson
>>> VP Threat Intelligence, IID
>>> PGP Public Key ID: 0x54DC85B2
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v2.0.22 (MingW32)
>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>>
>>> iF4EAREIAAYFAlNDg9gACgkQKJasdVTchbIrAAD9HzKaElH1Tk0oIomAOoSOvfJf
>>> 3Dvt4QB54os4/yewQQ8A/0dhFZ/YuEdA81dkNfR9KIf1ZF72CyslSPxPvkDcTz5e
>>> =3DaAzE
>>> -----END PGP SIGNATURE-----
>>>
>>
>>
--=20
Stephen Clark
*NetWolves Managed Services, LLC.*
Director of Technology
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.clark@netwolves.com
http://www.netwolves.com
