[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: URGENT: Please consider updating asap libSSL to version 1.0.1g, cf: CVE-2014-0160

Hello John,

On Tue, Apr 15, 2014 at 02:19:57PM -0400, john Culleton wrote:
> On Thu, 10 Apr 2014 01:24:55 +0200
> Klaus Knopper <debian-knoppix@knopper.net> wrote:
> 
> > Hello Gilles,
> > 
> > On Wed, Apr 09, 2014 at 03:03:33AM -0700,
> > Gilles van Ruymbeke wrote:
> > > Hello,
> > > This week is going to be quite interesting...
> > > Now that the word has been released it will
> > > be a world wide a race between
> > > the Hackers and the Sys Admins trying to fix
> > > this nasty "Heart Bleed" libSSL bug before
> > > too much "cloud data" get stolen & users get
> > > very upset.
> > 
> > I've read the news early.
> > 
> > Lucky for me, my own servers weren't affected,
> > since I used a libssl version there that did
> > not support heartbeat. 
> > 
> > > Please consider updating asap libSSL to
> > > version 1.0.1g, cf: CVE-2014-0160
> > > https://heartbleed.com/
> > > http://filippo.io/Heartbleed/
> > > http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html
> > > http://filippo.io/Heartbleed/
> > 
> > I've read the advisory and can confirm that it
> > affects apache2 & co., i.e. all included
> > servers that use libssl1.0.0 (which is actually
> > version 1.0.1e) on Knoppix versions not older
> > than 2 years; only IF these servers are
> > started, of course. As far as I read from the
> > advisory, client programs like browser or ssh
> > are not affected because it is the server side
> > that leaks 64k of memory to a specially crafted
> > heartbeat client request, so online banking or
> > shopping with Knoppix should still be safe. Of
> > course I will update libssl in the next public
> > release anyways.
> > 
> > wpa_supplicant on Knoppix, btw, was using
> > libtls instead of openssl due to a bug in
> > openssl that kept eduroam (frequentl used in
> > german universities) from functioning
> > correctly, so the network-manager was not
> > affected at all in Knoppix. I will check if the
> > new version of libssl has also fixed this issue
> > and revert to the original debian
> > wpa_supplicant if it is the case (don't like
> > forking essential packages).
> > 
> > As a quick fix for ssl servers, when using the
> > current version of Knoppix installed on USB
> > flash disk (as recommended), doing an update of
> > libssl1.0.0 will replace libssl1.0.0 with the
> > bugfixed 1.0.1g version from Debian:
> > 
> > sudo apt-get update
> > sudo apt-get install -t unstable libssl1.0.0
> > 
> > (no need to replace all the servers that use
> > libssl).
> > 
> > Regards
> > -Klaus
> > 
> > 
> 
> Does the latest verion of Knoppix have the bug?

"Latest" releases being 7.2.0 and 7.3.0, yes, since they were out before
the bug discovery.

> If
> not I will just upgrade.

All (!) GNU/Linux distributions with the original libssl1.0.x (i.e. from
the past 2 years till now) had the "heartbleed" bug. Upgrading just the
libssl1.0.0 package from Debian/unstable or Debian/stable/security fixes
it, all servers that are SSL-aware. In case you had a SSL server running
on the internet, you should also replace certificates & private key of
the server as well as changing passwords for websites.

http://en.wikipedia.org/wiki/Heartbleed

Regards
-Klaus
Reply to: