Re: URGENT: Please consider updating asap libSSL to version 1.0.1g, cf: CVE-2014-0160

To: debian-knoppix@lists.debian.org
Subject: Re: URGENT: Please consider updating asap libSSL to version 1.0.1g, cf: CVE-2014-0160
From: john Culleton <John@wexfordpress.com>
Date: Tue, 15 Apr 2014 14:19:57 -0400
Message-id: <[🔎] 20140415141957.0c8b4220@localb.wexfordpress.net>
In-reply-to: <[🔎] 20140409232455.GB4854@knopper.net>
References: <[🔎] 56436f33c680b73d82caa4983a2a6a73@ruymbeke.dlinkddns.com> <[🔎] 20140409232455.GB4854@knopper.net>

On Thu, 10 Apr 2014 01:24:55 +0200
Klaus Knopper <debian-knoppix@knopper.net> wrote:

> Hello Gilles,
> 
> On Wed, Apr 09, 2014 at 03:03:33AM -0700,
> Gilles van Ruymbeke wrote:
> > Hello,
> > This week is going to be quite interesting...
> > Now that the word has been released it will
> > be a world wide a race between
> > the Hackers and the Sys Admins trying to fix
> > this nasty "Heart Bleed" libSSL bug before
> > too much "cloud data" get stolen & users get
> > very upset.
> 
> I've read the news early.
> 
> Lucky for me, my own servers weren't affected,
> since I used a libssl version there that did
> not support heartbeat. 
> 
> > Please consider updating asap libSSL to
> > version 1.0.1g, cf: CVE-2014-0160
> > https://heartbleed.com/
> > http://filippo.io/Heartbleed/
> > http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html
> > http://filippo.io/Heartbleed/
> 
> I've read the advisory and can confirm that it
> affects apache2 & co., i.e. all included
> servers that use libssl1.0.0 (which is actually
> version 1.0.1e) on Knoppix versions not older
> than 2 years; only IF these servers are
> started, of course. As far as I read from the
> advisory, client programs like browser or ssh
> are not affected because it is the server side
> that leaks 64k of memory to a specially crafted
> heartbeat client request, so online banking or
> shopping with Knoppix should still be safe. Of
> course I will update libssl in the next public
> release anyways.
> 
> wpa_supplicant on Knoppix, btw, was using
> libtls instead of openssl due to a bug in
> openssl that kept eduroam (frequentl used in
> german universities) from functioning
> correctly, so the network-manager was not
> affected at all in Knoppix. I will check if the
> new version of libssl has also fixed this issue
> and revert to the original debian
> wpa_supplicant if it is the case (don't like
> forking essential packages).
> 
> As a quick fix for ssl servers, when using the
> current version of Knoppix installed on USB
> flash disk (as recommended), doing an update of
> libssl1.0.0 will replace libssl1.0.0 with the
> bugfixed 1.0.1g version from Debian:
> 
> sudo apt-get update
> sudo apt-get install -t unstable libssl1.0.0
> 
> (no need to replace all the servers that use
> libssl).
> 
> Regards
> -Klaus
> 
> 

Does the latest verion of Knoppix have the bug? If
not I will just upgrade.

-- 
John Culleton
Wexford Press
Free list of books for self-publishers:
http://wexfordpress.net/shortlist.html
PDF e-book: "Create Book Covers with Scribus"
available at
http://www.booklocker.com/books/4055.html

Reply to:

Follow-Ups:
- Re: URGENT: Please consider updating asap libSSL to version 1.0.1g, cf: CVE-2014-0160
  - From: Klaus Knopper <debian-knoppix@knopper.net>

References:
- URGENT: Please consider updating asap libSSL to version 1.0.1g, cf: CVE-2014-0160
  - From: Gilles van Ruymbeke <gvr_knoppix_mailing_list@ruymbeke.com>
- Re: URGENT: Please consider updating asap libSSL to version 1.0.1g, cf: CVE-2014-0160
  - From: Klaus Knopper <debian-knoppix@knopper.net>

Prev by Date: Re: URGENT: Please consider updating asap libSSL to version 1.0.1g, cf: CVE-2014-0160
Next by Date: Re: URGENT: Please consider updating asap libSSL to version 1.0.1g, cf: CVE-2014-0160
Previous by thread: Re: URGENT: Please consider updating asap libSSL to version 1.0.1g, cf: CVE-2014-0160
Next by thread: Re: URGENT: Please consider updating asap libSSL to version 1.0.1g, cf: CVE-2014-0160
Index(es):
- Date
- Thread