Re: [SECURITY] [DSA 2896-1] openssl security update

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 2896-1] openssl security update
From: Dirk Hartmann <dha@morticah.net>
Date: Fri, 11 Apr 2014 19:23:23 +0200
Message-id: <[🔎] FEFC911F-53CA-48B6-8C75-201BEE204929@morticah.net>
In-reply-to: <[🔎] 534809AA.2000705@noflag.org.uk>
References: <E1WXHDi-0007bY-NH@master.debian.org> <[🔎] 534809AA.2000705@noflag.org.uk>

On 11.04.2014, at 17:26, daniel <daniel@noflag.org.uk> wrote:

> 
> We are very concerned about the 'Heartbeat' security problem which has
> been discovered with OpenSSL. Thanks to our out-of-date old-stable
> version of debian, we are using:
> 
> openssl 0.9.8o-4squeeze14
> 
> This page also claims debian 6 (which we use) is unaffected:
> https://www.digitalocean.com/community/articles/how-to-protect-your-server-against-the-heartbleed-openssl-vulnerability
> 
> as does the text of the DSA below.
> 
> However, both of the heartbeat vulnerability checkers we have used have
> told us that they were able to successfully exploit this vulnerability
> against our site:
> 
> http://filippo.io/Heartbleed/#noflag.org.uk
> https://www.ssllabs.com/ssltest/analyze.html?d=noflag.org.uk
> 
> What could be going on here?

you are not using the squeeze-Apache but a newer one compiled with a newer openssl.

If you do a dpkg -l openssl and don’t get a higher version than 0.9.8 you are probably running one of these “all in one” website packages that provides it’s own apache and applications.

Dirk

Reply to:

References:
- Re: [SECURITY] [DSA 2896-1] openssl security update
  - From: daniel <daniel@noflag.org.uk>

Prev by Date: Aw: Re: [SECURITY] [DSA 2896-1] openssl security update
Next by Date: Re: Aw: Re: [SECURITY] [DSA 2896-1] openssl security update
Previous by thread: Re: Aw: Re: [SECURITY] [DSA 2896-1] openssl security update
Next by thread: Re: [#41764] [SECURITY] [DSA 2902-1] curl security update
Index(es):
- Date
- Thread