[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 2896-1] openssl security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Dear all,

We are very concerned about the 'Heartbeat' security problem which has
been discovered with OpenSSL. Thanks to our out-of-date old-stable
version of debian, we are using:

openssl 0.9.8o-4squeeze14

This page also claims debian 6 (which we use) is unaffected:
https://www.digitalocean.com/community/articles/how-to-protect-your-server-against-the-heartbleed-openssl-vulnerability

as does the text of the DSA below.

However, both of the heartbeat vulnerability checkers we have used have
told us that they were able to successfully exploit this vulnerability
against our site:

http://filippo.io/Heartbleed/#noflag.org.uk
https://www.ssllabs.com/ssltest/analyze.html?d=noflag.org.uk

What could be going on here?

Thanks in advance for all your help,

Daniel

Salvatore Bonaccorso wrote:
> -------------------------------------------------------------------------
>
> 
Debian Security Advisory DSA-2896-1                   security@debian.org
> http://www.debian.org/security/                      Salvatore
> Bonaccorso April 07, 2014
> http://www.debian.org/security/faq 
> -------------------------------------------------------------------------
>
>  Package        : openssl CVE ID         : CVE-2014-0160 Debian Bug
> : 743883
> 
> A vulnerability has been discovered in OpenSSL's support for the 
> TLS/DTLS Hearbeat extension. Up to 64KB of memory from either client
> or server can be recovered by an attacker This vulnerability might
> allow an attacker to compromise the private key and other sensitive
> data in memory.
> 
> All users are urged to upgrade their openssl packages (especially 
> libssl1.0.0) and restart applications as soon as possible.
> 
> According to the currently available information, private keys should
> be considered as compromised and regenerated as soon as possible.
> More details will be communicated at a later time.
> 
> The oldstable distribution (squeeze) is not affected by this 
> vulnerability.
> 
> For the stable distribution (wheezy), this problem has been fixed in 
> version 1.0.1e-2+deb7u5.
> 
> For the testing distribution (jessie), this problem has been fixed
> in version 1.0.1g-1.
> 
> For the unstable distribution (sid), this problem has been fixed in 
> version 1.0.1g-1.
> 
> We recommend that you upgrade your openssl packages.
> 
> Further information about Debian Security Advisories, how to apply 
> these updates to your system and frequently asked questions can be 
> found at: http://www.debian.org/security/
> 
> Mailing list: debian-security-announce@lists.debian.org
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBCgAGBQJTSAmqAAoJEJhsX8U2K7jUaD0H/2FUZIr4qKST1NCAKrgjP53V
jQknF8erQrGhUrP1hKE2FckuKJljeUAv6rUEVJCiuEPWmCgL08Eoy1SZuIG2S72q
vRbfyYaIz2GKVoGdbkW0GMe963mLUhJ1H5PdcPrsApUZ9AcwQPYKGqLx4/TTrOsB
nbr19ELLQbZCfE8SsUuMDpy/bHeF3c9gb5iUhcnpow6KIjzYGKaJfhiV6HxVlkDX
krdkegdOUn2wKu/deLoARpMqyz6a7son8YcbQ71/XIogtGnxY0L4T9Nabj4NChB/
ggIu+7x62teyb56vToySrXKF5HaqDE2Bna7cJSlD0ia64ME1yG/4joL93Jt10IY=
=kDpQ
-----END PGP SIGNATURE-----
Reply to: