Re: Aw: Re: [SECURITY] [DSA 2896-1] openssl security update

To: debian-security@lists.debian.org
Subject: Re: Aw: Re: [SECURITY] [DSA 2896-1] openssl security update
From: daniel <daniel@noflag.org.uk>
Date: Sat, 12 Apr 2014 08:31:45 +0630
Message-id: <[🔎] 53489E89.2070402@noflag.org.uk>
In-reply-to: <[🔎] trinity-f3090dbc-834c-45ec-8cca-501d4781f536-1397231562657@3capp-gmx-bs20>
References: <E1WXHDi-0007bY-NH@master.debian.org>, <[🔎] 534809AA.2000705@noflag.org.uk> <[🔎] trinity-f3090dbc-834c-45ec-8cca-501d4781f536-1397231562657@3capp-gmx-bs20>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Thank you all for your help. Mod_spdy has a statically-linked vulnerable
version of OpenSSL. After the standard update we are no longer vulnerable.

Daniel

Estelmann, Christian wrote:
> Your server talks spdy. Have you upgraded mod_spdy to 0.9.4.2?
> 
> (for mod_spy you need an Apache HTTP Server 2.4.X, in squeeze there
> is only 2.2.16 ...)
> 
>> Gesendet: Freitag, 11. April 2014 um 17:26 Uhr Von: daniel
>> <daniel@noflag.org.uk> An: debian-security@lists.debian.org Cc: "-
>> Noflag" <admin@lists.noflag.org.uk> Betreff: Re: [SECURITY] [DSA
>> 2896-1] openssl security update
>> 
> Dear all,
> 
> We are very concerned about the 'Heartbeat' security problem which
> has been discovered with OpenSSL. Thanks to our out-of-date
> old-stable version of debian, we are using:
> 
> openssl 0.9.8o-4squeeze14
> 
> This page also claims debian 6 (which we use) is unaffected: 
> https://www.digitalocean.com/community/articles/how-to-protect-your-server-against-the-heartbleed-openssl-vulnerability
>
>  as does the text of the DSA below.
> 
> However, both of the heartbeat vulnerability checkers we have used
> have told us that they were able to successfully exploit this
> vulnerability against our site:
> 
> http://filippo.io/Heartbleed/#noflag.org.uk 
> https://www.ssllabs.com/ssltest/analyze.html?d=noflag.org.uk
> 
> What could be going on here?
> 
> Thanks in advance for all your help,
> 
> Daniel
> 
> Salvatore Bonaccorso wrote:
>>>> -------------------------------------------------------------------------
>>>>
>>>>
>
>>>> 
Debian Security Advisory DSA-2896-1                   security@debian.org
>>>> http://www.debian.org/security/                      Salvatore 
>>>> Bonaccorso April 07, 2014 http://www.debian.org/security/faq 
>>>> -------------------------------------------------------------------------
>>>>
>>>>
>>>> 
Package        : openssl CVE ID         : CVE-2014-0160 Debian Bug
>>>> : 743883
>>>> 
>>>> A vulnerability has been discovered in OpenSSL's support for
>>>> the TLS/DTLS Hearbeat extension. Up to 64KB of memory from
>>>> either client or server can be recovered by an attacker This
>>>> vulnerability might allow an attacker to compromise the private
>>>> key and other sensitive data in memory.
>>>> 
>>>> All users are urged to upgrade their openssl packages
>>>> (especially libssl1.0.0) and restart applications as soon as
>>>> possible.
>>>> 
>>>> According to the currently available information, private keys
>>>> should be considered as compromised and regenerated as soon as
>>>> possible. More details will be communicated at a later time.
>>>> 
>>>> The oldstable distribution (squeeze) is not affected by this 
>>>> vulnerability.
>>>> 
>>>> For the stable distribution (wheezy), this problem has been
>>>> fixed in version 1.0.1e-2+deb7u5.
>>>> 
>>>> For the testing distribution (jessie), this problem has been
>>>> fixed in version 1.0.1g-1.
>>>> 
>>>> For the unstable distribution (sid), this problem has been
>>>> fixed in version 1.0.1g-1.
>>>> 
>>>> We recommend that you upgrade your openssl packages.
>>>> 
>>>> Further information about Debian Security Advisories, how to
>>>> apply these updates to your system and frequently asked
>>>> questions can be found at: http://www.debian.org/security/
>>>> 
>>>> Mailing list: debian-security-announce@lists.debian.org
>>>> 
>>>> 
>> 
>> 
>> -- To UNSUBSCRIBE, email to
>> debian-security-REQUEST@lists.debian.org with a subject of
>> "unsubscribe". Trouble? Contact listmaster@lists.debian.org 
>> Archive: [🔎] 534809AA.2000705@noflag.org.uk">https://lists.debian.org/[🔎] 534809AA.2000705@noflag.org.uk
>> 
>> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBCgAGBQJTSJ6JAAoJEJhsX8U2K7jUalEH/1z4Se3I715yhKe0CKmA67qU
ngPQO8OxRmq9NxdWz+S5+htXEoX8MIF0PF6MIqNmN9toMhBEgGObTuG0UlxRgVa7
6T/6JaWm45Ivl3m8t8enwRddunjFWKTU4/M91eOOsdTmGt8Y7CHuYtN3NoPUMVHf
vUQeyMuWIawS+HiJl0eXTVb3522jVavnkh/WKOTcHGUeTSBBt95DErG2cldCuIXY
Vbru6nsAgNdEwL7dOxpqtsyXNWfCoBJCjsDAZD2nNs1z12Zv0Dx/GHvXf9z2HnH2
3+MIXS2nzgd1+F+tzzNxXlVergp3Q9zLlELckmJwTpvKDrF/hc0eHBYosn2m05k=
=N86v
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: Aw: Re: [SECURITY] [DSA 2896-1] openssl security update
  - From: Paul Wise <pabs@debian.org>

References:
- Re: [SECURITY] [DSA 2896-1] openssl security update
  - From: daniel <daniel@noflag.org.uk>
- Aw: Re: [SECURITY] [DSA 2896-1] openssl security update
  - From: "Estelmann, Christian" <c.estelmann@gmx.net>

Prev by Date: Re: [SECURITY] [DSA 2896-1] openssl security update
Next by Date: Re: Aw: Re: [SECURITY] [DSA 2896-1] openssl security update
Previous by thread: Aw: Re: [SECURITY] [DSA 2896-1] openssl security update
Next by thread: Re: Aw: Re: [SECURITY] [DSA 2896-1] openssl security update
Index(es):
- Date
- Thread