Aw: Re: [SECURITY] [DSA 2896-1] openssl security update
Your server talks spdy. Have you upgraded mod_spdy to 0.9.4.2?
(for mod_spy you need an Apache HTTP Server 2.4.X, in squeeze there is only 2.2.16 ...)
> Gesendet: Freitag, 11. April 2014 um 17:26 Uhr
> Von: daniel <daniel@noflag.org.uk>
> An: debian-security@lists.debian.org
> Cc: "- Noflag" <admin@lists.noflag.org.uk>
> Betreff: Re: [SECURITY] [DSA 2896-1] openssl security update
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Dear all,
>
> We are very concerned about the 'Heartbeat' security problem which has
> been discovered with OpenSSL. Thanks to our out-of-date old-stable
> version of debian, we are using:
>
> openssl 0.9.8o-4squeeze14
>
> This page also claims debian 6 (which we use) is unaffected:
> https://www.digitalocean.com/community/articles/how-to-protect-your-server-against-the-heartbleed-openssl-vulnerability
>
> as does the text of the DSA below.
>
> However, both of the heartbeat vulnerability checkers we have used have
> told us that they were able to successfully exploit this vulnerability
> against our site:
>
> http://filippo.io/Heartbleed/#noflag.org.uk
> https://www.ssllabs.com/ssltest/analyze.html?d=noflag.org.uk
>
> What could be going on here?
>
> Thanks in advance for all your help,
>
> Daniel
>
> Salvatore Bonaccorso wrote:
> > -------------------------------------------------------------------------
> >
> >
> Debian Security Advisory DSA-2896-1 security@debian.org
> > http://www.debian.org/security/ Salvatore
> > Bonaccorso April 07, 2014
> > http://www.debian.org/security/faq
> > -------------------------------------------------------------------------
> >
> > Package : openssl CVE ID : CVE-2014-0160 Debian Bug
> > : 743883
> >
> > A vulnerability has been discovered in OpenSSL's support for the
> > TLS/DTLS Hearbeat extension. Up to 64KB of memory from either client
> > or server can be recovered by an attacker This vulnerability might
> > allow an attacker to compromise the private key and other sensitive
> > data in memory.
> >
> > All users are urged to upgrade their openssl packages (especially
> > libssl1.0.0) and restart applications as soon as possible.
> >
> > According to the currently available information, private keys should
> > be considered as compromised and regenerated as soon as possible.
> > More details will be communicated at a later time.
> >
> > The oldstable distribution (squeeze) is not affected by this
> > vulnerability.
> >
> > For the stable distribution (wheezy), this problem has been fixed in
> > version 1.0.1e-2+deb7u5.
> >
> > For the testing distribution (jessie), this problem has been fixed
> > in version 1.0.1g-1.
> >
> > For the unstable distribution (sid), this problem has been fixed in
> > version 1.0.1g-1.
> >
> > We recommend that you upgrade your openssl packages.
> >
> > Further information about Debian Security Advisories, how to apply
> > these updates to your system and frequently asked questions can be
> > found at: http://www.debian.org/security/
> >
> > Mailing list: debian-security-announce@lists.debian.org
> >
> >
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBCgAGBQJTSAmqAAoJEJhsX8U2K7jUaD0H/2FUZIr4qKST1NCAKrgjP53V
> jQknF8erQrGhUrP1hKE2FckuKJljeUAv6rUEVJCiuEPWmCgL08Eoy1SZuIG2S72q
> vRbfyYaIz2GKVoGdbkW0GMe963mLUhJ1H5PdcPrsApUZ9AcwQPYKGqLx4/TTrOsB
> nbr19ELLQbZCfE8SsUuMDpy/bHeF3c9gb5iUhcnpow6KIjzYGKaJfhiV6HxVlkDX
> krdkegdOUn2wKu/deLoARpMqyz6a7son8YcbQ71/XIogtGnxY0L4T9Nabj4NChB/
> ggIu+7x62teyb56vToySrXKF5HaqDE2Bna7cJSlD0ia64ME1yG/4joL93Jt10IY=
> =kDpQ
> -----END PGP SIGNATURE-----
>
>
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: [🔎] 534809AA.2000705@noflag.org.uk">https://lists.debian.org/[🔎] 534809AA.2000705@noflag.org.uk
>
>
Reply to: