Re: URGENT: Please consider updating asap libSSL to version 1.0.1g, cf: CVE-2014-0160

To: Gilles van Ruymbeke <gvr_knoppix_mailing_list@ruymbeke.com>
Cc: debian-knoppix@lists.debian.org, debian-knoppix@knopper.net
Subject: Re: URGENT: Please consider updating asap libSSL to version 1.0.1g, cf: CVE-2014-0160
From: Klaus Knopper <debian-knoppix@knopper.net>
Date: Thu, 10 Apr 2014 01:24:55 +0200
Message-id: <[🔎] 20140409232455.GB4854@knopper.net>
In-reply-to: <[🔎] 56436f33c680b73d82caa4983a2a6a73@ruymbeke.dlinkddns.com>
References: <[🔎] 56436f33c680b73d82caa4983a2a6a73@ruymbeke.dlinkddns.com>

Hello Gilles,

On Wed, Apr 09, 2014 at 03:03:33AM -0700, Gilles van Ruymbeke wrote:
> Hello,
> This week is going to be quite interesting...
> Now that the word has been released it will be a world wide a race
> between
> the Hackers and the Sys Admins trying to fix this nasty "Heart Bleed"
> libSSL bug before too much "cloud data" get stolen & users get very
> upset.

I've read the news early.

Lucky for me, my own servers weren't affected, since I used a libssl
version there that did not support heartbeat. 

> Please consider updating asap libSSL to version 1.0.1g, cf:
> CVE-2014-0160
> https://heartbleed.com/
> http://filippo.io/Heartbleed/
> http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html
> http://filippo.io/Heartbleed/

I've read the advisory and can confirm that it affects apache2 & co.,
i.e. all included servers that use libssl1.0.0 (which is actually
version 1.0.1e) on Knoppix versions not older than 2 years; only IF
these servers are started, of course. As far as I read from the
advisory, client programs like browser or ssh are not affected because
it is the server side that leaks 64k of memory to a specially crafted
heartbeat client request, so online banking or shopping with Knoppix
should still be safe. Of course I will update libssl in the next public
release anyways.

wpa_supplicant on Knoppix, btw, was using libtls instead of openssl due
to a bug in openssl that kept eduroam (frequentl used in german
universities) from functioning correctly, so the network-manager was not
affected at all in Knoppix. I will check if the new version of libssl
has also fixed this issue and revert to the original debian
wpa_supplicant if it is the case (don't like forking essential
packages).

As a quick fix for ssl servers, when using the current version of
Knoppix installed on USB flash disk (as recommended), doing an update of
libssl1.0.0 will replace libssl1.0.0 with the bugfixed 1.0.1g version
from Debian:

sudo apt-get update
sudo apt-get install -t unstable libssl1.0.0

(no need to replace all the servers that use libssl).

Regards
-Klaus

Reply to:

Follow-Ups:
- Re: URGENT: Please consider updating asap libSSL to version 1.0.1g, cf: CVE-2014-0160
  - From: john Culleton <John@wexfordpress.com>

References:
- URGENT: Please consider updating asap libSSL to version 1.0.1g, cf: CVE-2014-0160
  - From: Gilles van Ruymbeke <gvr_knoppix_mailing_list@ruymbeke.com>

Prev by Date: URGENT: Please consider updating asap libSSL to version 1.0.1g, cf: CVE-2014-0160
Next by Date: Re: URGENT: Please consider updating asap libSSL to version 1.0.1g, cf: CVE-2014-0160
Previous by thread: URGENT: Please consider updating asap libSSL to version 1.0.1g, cf: CVE-2014-0160
Next by thread: Re: URGENT: Please consider updating asap libSSL to version 1.0.1g, cf: CVE-2014-0160
Index(es):
- Date
- Thread