Re: URGENT: Please consider updating asap libSSL to version 1.0.1g, cf: CVE-2014-0160
- To: debian-knoppix@lists.debian.org
- Subject: Re: URGENT: Please consider updating asap libSSL to version 1.0.1g, cf: CVE-2014-0160
- From: john Culleton <John@wexfordpress.com>
- Date: Tue, 10 Jun 2014 11:15:32 -0400
- Message-id: <[🔎] 20140610111532.53fe7ec3@localb.wexfordpress.net>
- In-reply-to: <20140416091726.6e7ec37c@localb.wexfordpress.net>
- References: <56436f33c680b73d82caa4983a2a6a73@ruymbeke.dlinkddns.com> <20140409232455.GB4854@knopper.net> <20140415141957.0c8b4220@localb.wexfordpress.net> <20140416010140.GA6522@knopper.net> <20140416091726.6e7ec37c@localb.wexfordpress.net>
On Wed, 16 Apr 2014 09:17:26 -0400
john Culleton <John@wexfordpress.com> wrote:
> On Wed, 16 Apr 2014 03:01:40 +0200
> Klaus Knopper <debian-knoppix@knopper.net>
> wrote:
>
> > Hello John,
> >
> > On Tue, Apr 15, 2014 at 02:19:57PM -0400, john
> > Culleton wrote:
> > > On Thu, 10 Apr 2014 01:24:55 +0200
> > > Klaus Knopper <debian-knoppix@knopper.net>
> > > wrote:
> > >
> > > > Hello Gilles,
> > > >
> > > > On Wed, Apr 09, 2014 at 03:03:33AM -0700,
> > > > Gilles van Ruymbeke wrote:
> > > > > Hello,
> > > > > This week is going to be quite
> > > > > interesting... Now that the word has
> > > > > been released it will be a world wide a
> > > > > race between the Hackers and the Sys
> > > > > Admins trying to fix this nasty "Heart
> > > > > Bleed" libSSL bug before too much
> > > > > "cloud data" get stolen & users get
> > > > > very upset.
> > > >
> > > > I've read the news early.
> > > >
> > > > Lucky for me, my own servers weren't
> > > > affected, since I used a libssl version
> > > > there that did not support heartbeat.
> > > >
> > > > > Please consider updating asap libSSL to
> > > > > version 1.0.1g, cf: CVE-2014-0160
> > > > > https://heartbleed.com/
> > > > > http://filippo.io/Heartbleed/
> > > > > http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html
> > > > > http://filippo.io/Heartbleed/
> > > >
> > > > I've read the advisory and can confirm
> > > > that it affects apache2 & co., i.e. all
> > > > included servers that use libssl1.0.0
> > > > (which is actually version 1.0.1e) on
> > > > Knoppix versions not older than 2 years;
> > > > only IF these servers are started, of
> > > > course. As far as I read from the
> > > > advisory, client programs like browser or
> > > > ssh are not affected because it is the
> > > > server side that leaks 64k of memory to a
> > > > specially crafted heartbeat client
> > > > request, so online banking or shopping
> > > > with Knoppix should still be safe. Of
> > > > course I will update libssl in the next
> > > > public release anyways.
> > > >
> > > > wpa_supplicant on Knoppix, btw, was using
> > > > libtls instead of openssl due to a bug in
> > > > openssl that kept eduroam (frequentl used
> > > > in german universities) from functioning
> > > > correctly, so the network-manager was not
> > > > affected at all in Knoppix. I will check
> > > > if the new version of libssl has also
> > > > fixed this issue and revert to the
> > > > original debian wpa_supplicant if it is
> > > > the case (don't like forking essential
> > > > packages).
> > > >
> > > > As a quick fix for ssl servers, when using
> > > > the current version of Knoppix installed
> > > > on USB flash disk (as recommended), doing
> > > > an update of libssl1.0.0 will replace
> > > > libssl1.0.0 with the bugfixed 1.0.1g
> > > > version from Debian:
> > > >
> > > > sudo apt-get update
> > > > sudo apt-get install -t unstable
> > > > libssl1.0.0
> > > >
> > > > (no need to replace all the servers that
> > > > use libssl).
> > > >
> > > > Regards
> > > > -Klaus
> > > >
> > > >
> > >
> > > Does the latest verion of Knoppix have the
> > > bug?
> >
> > "Latest" releases being 7.2.0 and 7.3.0, yes,
> > since they were out before the bug discovery.
> >
> > > If
> > > not I will just upgrade.
> >
> > All (!) GNU/Linux distributions with the
> > original libssl1.0.x (i.e. from the past 2
> > years till now) had the "heartbleed" bug.
> > Upgrading just the libssl1.0.0 package from
> > Debian/unstable or Debian/stable/security
> > fixes it, all servers that are SSL-aware. In
> > case you had a SSL server running on the
> > internet, you should also replace
> > certificates & private key of the server as
> > well as changing passwords for websites.
> >
> > http://en.wikipedia.org/wiki/Heartbleed
> >
> > Regards
> > -Klaus
> >
> >
>
> Very helpful. The Slackware folks updated two
> packages,
> openssl-1.0.1g
> and
> openssl-solibs-1.0.1g
>
> Nobody else seems concerned about the latter.
> Perhaps Debian-based releases update it
> automatically when the first package is
> installed.
>
Today I updated my Slack partition with two
bugfixed libraries:
openssl-1.0.1h
and
gnutls-3-1-25
Don't know what is the latest in the
world of Debian and Knoppix.
--
John Culleton
Wexford Press
Free list of books for self-publishers:
http://wexfordpress.net/shortlist.html
PDF e-book: "Create Book Covers with Scribus"
available at
http://www.booklocker.com/books/4055.html
Reply to: