Re: URGENT: Please consider updating asap libSSL to version 1.0.1g, cf: CVE-2014-0160
On Wed, 16 Apr 2014 03:01:40 +0200
Klaus Knopper <debian-knoppix@knopper.net> wrote:
> Hello John,
>
> On Tue, Apr 15, 2014 at 02:19:57PM -0400, john
> Culleton wrote:
> > On Thu, 10 Apr 2014 01:24:55 +0200
> > Klaus Knopper <debian-knoppix@knopper.net>
> > wrote:
> >
> > > Hello Gilles,
> > >
> > > On Wed, Apr 09, 2014 at 03:03:33AM -0700,
> > > Gilles van Ruymbeke wrote:
> > > > Hello,
> > > > This week is going to be quite
> > > > interesting... Now that the word has been
> > > > released it will be a world wide a race
> > > > between the Hackers and the Sys Admins
> > > > trying to fix this nasty "Heart Bleed"
> > > > libSSL bug before too much "cloud data"
> > > > get stolen & users get very upset.
> > >
> > > I've read the news early.
> > >
> > > Lucky for me, my own servers weren't
> > > affected, since I used a libssl version
> > > there that did not support heartbeat.
> > >
> > > > Please consider updating asap libSSL to
> > > > version 1.0.1g, cf: CVE-2014-0160
> > > > https://heartbleed.com/
> > > > http://filippo.io/Heartbleed/
> > > > http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html
> > > > http://filippo.io/Heartbleed/
> > >
> > > I've read the advisory and can confirm that
> > > it affects apache2 & co., i.e. all included
> > > servers that use libssl1.0.0 (which is
> > > actually version 1.0.1e) on Knoppix
> > > versions not older than 2 years; only IF
> > > these servers are started, of course. As
> > > far as I read from the advisory, client
> > > programs like browser or ssh are not
> > > affected because it is the server side that
> > > leaks 64k of memory to a specially crafted
> > > heartbeat client request, so online banking
> > > or shopping with Knoppix should still be
> > > safe. Of course I will update libssl in the
> > > next public release anyways.
> > >
> > > wpa_supplicant on Knoppix, btw, was using
> > > libtls instead of openssl due to a bug in
> > > openssl that kept eduroam (frequentl used in
> > > german universities) from functioning
> > > correctly, so the network-manager was not
> > > affected at all in Knoppix. I will check if
> > > the new version of libssl has also fixed
> > > this issue and revert to the original debian
> > > wpa_supplicant if it is the case (don't like
> > > forking essential packages).
> > >
> > > As a quick fix for ssl servers, when using
> > > the current version of Knoppix installed on
> > > USB flash disk (as recommended), doing an
> > > update of libssl1.0.0 will replace
> > > libssl1.0.0 with the bugfixed 1.0.1g
> > > version from Debian:
> > >
> > > sudo apt-get update
> > > sudo apt-get install -t unstable libssl1.0.0
> > >
> > > (no need to replace all the servers that use
> > > libssl).
> > >
> > > Regards
> > > -Klaus
> > >
> > >
> >
> > Does the latest verion of Knoppix have the
> > bug?
>
> "Latest" releases being 7.2.0 and 7.3.0, yes,
> since they were out before the bug discovery.
>
> > If
> > not I will just upgrade.
>
> All (!) GNU/Linux distributions with the
> original libssl1.0.x (i.e. from the past 2
> years till now) had the "heartbleed" bug.
> Upgrading just the libssl1.0.0 package from
> Debian/unstable or Debian/stable/security fixes
> it, all servers that are SSL-aware. In case you
> had a SSL server running on the internet, you
> should also replace certificates & private key
> of the server as well as changing passwords for
> websites.
>
> http://en.wikipedia.org/wiki/Heartbleed
>
> Regards
> -Klaus
>
>
Very helpful. The Slackware folks updated two
packages,
openssl-1.0.1g
and
openssl-solibs-1.0.1g
Nobody else seems concerned about the latter.
Perhaps Debian-based releases update it
automatically when the first package is
installed.
--
John Culleton
Wexford Press
Free list of books for self-publishers:
http://wexfordpress.net/shortlist.html
PDF e-book: "Create Book Covers with Scribus"
available at
http://www.booklocker.com/books/4055.html
Reply to: