Jump to content

IMPORTANT NOTICE REGARDING OpenSSL 1.0.1 to OpenSSL 1.0.1f

Makoto

Recommended Posts

Makoto Veteran

Makoto

Posted
Posted

Sorry for the ALL CAPS :frantics: title, but this is an important issue all server admins here need to be aware of.

This is a warning of a major vulnerability in all versions of OpenSSL 1.0.1 to OpenSSL 1.0.1f - chances are, you are running a version of OpenSSL vulnerable to this exploit.

For more information, please see this page:

http://heartbleed.com/

Please immediately update any servers you are running to the latest release of OpenSSL. You should receive a notice on upgrading that the upgrade you are using addresses a major vulnerability, and it will prompt you to restart all services that rely on OpenSSL in any way. If you can, a complete server restart is recommended after upgrading.

Link to comment
Share on other sites
Clover13 Mentor

Clover13

Posted
Posted

I asked my web host about this...here was their response.

It might be late and I'm not making sense of it...but in the first part they say the current version on their servers is 1.0.1e and vulnerable.

Then in the next they say they built an update and installed it on all servers.

And then they showed me the timestamp of the build output (but not the actual version)?


Hello,

The current version of OpenSSL on our servers is 1.0.1e, which is listed as vulnerable. However, the Debian OpenSSL package maintainers have already released an updated version, referred to as 1.0.1e-2+deb7u6 in their repositories. This version no longer contains the vulnerability; it was built yesterday, and has since already been installed on all of our servers by our system administrators. This can be confirmed with output of the following command:

  1. [00:49:14] xxx~$ openssl version -b
    built on: Tue Apr 8 10:05:11 UTC 2014

Thus, we can confirm that all actions have been taken to ensure that your account's data is not vulnerable. Please let us know if we ca help you further.

Best regards,
Support

And also, are any of you publishing anything to your membership regarding this issue and perhaps recommending a password change once the patch is applied?

I figure most of my users will have no clue what this even means, but they can at least make sense of it being a good idea to update their passwords (understanding they may be compromised).

Link to comment
Share on other sites
Aussie Cable Community Regular

Aussie Cable

Posted
Posted

I asked my web host about this...here was their response.

It might be late and I'm not making sense of it...but in the first part they say the current version on their servers is 1.0.1e and vulnerable.

Then in the next they say they built an update and installed it on all servers.

And then they showed me the timestamp of the build output (but not the actual version)?

I can confirm that my version is (on one of my patched machines):

# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
and the build date is:
# openssl version -b
built on: Tue Apr  8 02:39:29 UTC 2014

The version is the same as the vulnerability reported, but the build date is the 8th April 2014 which has been patched with the handshake removed from the code by compile time option:

-DOPENSSL_NO_HEARTBEATS

This confirms that the vulnerability has been patched (with the above option enabled). I would suspect if the build date is before 8th April 2014, it will still have the vulnerability, hence your version is patched.

Link to comment
Share on other sites
Grumpy Apprentice

Grumpy

Posted
Posted

It might be late and I'm not making sense of it...but in the first part they say the current version on their servers is 1.0.1e and vulnerable.

The exact version number on your system kind of depends on the package maintainers.

For example, under RHEL, the fix is the 1.0.1e-16.el6_5.7

Edit: the vulnerable was 1.0.1e-16.el6_5.4

Link to comment
Share on other sites
Grumpy Apprentice

Grumpy

Posted
Posted

I can't help but feel quite angry at heartbleed.com.

codenomicon basically made a huge publicity stunt at the cost of potentially compromising millions of servers that are running openssl 1.0.1. And they sell security? I'm clearly never buying from them.

They came up with a marketable name like heartbleed and make a site for a single vulnerability. And then they don't even bother telling any of the linux distros that this vulnerability exists. Yet, for some odd reason... they decided to inform cloudflare and no one else. It's not like the biggest datacenter or cloud services like amazon came to know this ahead of time. Just cloudflare. Why? And then they go public with this announcement. And naturally, cloudflare keys on the opportunity as well saying how awesome they are for patching things before it went public. Great, now more people know about the vulnerability that no one even had the chance to patch yet.

AFTER it went public, linux distros are in a scurry trying to patch this thing asap. Now sys admins all over the world are in a scurry to patch it. Seriously, WTF. That's NOT how you handle a vulnerability.

Link to comment
Share on other sites
Grumpy Apprentice

Grumpy

Posted
Posted

openssl got informed 2 days prior to announcement. cloudflare says they were informed a week before. rhel/centos/debian/etc. wasn't informed until after the public announcement. Like on RHEL -----Reported: 2014-04-07 01:56 EDT-----

As soon as openssl made the patch, heartbleed/cloudflare basically went around saying look here! a problem! and we're awesome! Yet, at a stage where you can't even apply it unless you build it yourself.

To me, it's an obvious marketing attempt. Like, since when did we even name bugs? Since when do they get websites?

Link to comment
Share on other sites
Makoto Veteran

Makoto

Posted
  • Author
Posted

Yeah, I agree with you. I only threw a link to the website in my post because it seemed to offer the most comprehensive overview of the actual vulnerability at the time.

I wasn't aware of all that. I'd edit my post to include a different source on principle if I could, but I can't edit it any more.

Link to comment
Share on other sites
Grumpy Apprentice

Grumpy

Posted
Posted

looks like OpenSSL folks maybe ones at fault not Cloudflare http://www.webhostingtalk.com/showpost.php?p=9076791&postcount=70 ?

I'm not saying cloudflare is the problem, it's that they're making a bad situation worse by making their announcement so fast.

I wasn't aware of all that. I'd edit my post to include a different source on principle if I could, but I can't edit it any more.

Well, it's pretty much the only comprehensive source. That's why it's such great marketing for them.

Link to comment
Share on other sites
Aussie Cable Community Regular

Aussie Cable

Posted
Posted

Very interesting and scary article if you think about it, thanks very much for sharing :thumbsup:

If this is the case and this vulnerability has been put to use for over two years, then we may have a very big problem, and to top that off, identity fraud (or even regular internet banking/ebay/paypal etc) would look legit.

I think it maybe time to go through my own bank statements for the past 2 years.

Very scary indeed :cry:

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Upcoming Events

    No upcoming events found
Invision Community © 2024 IPS, Inc.
×
×
  • Create New...