Hi,
as many others, I patched my machines today because of the horrible
OpenSSL bug:
$ apt-cache policy libssl1.0.0
libssl1.0.0:
Installed: 1.0.1e-2+deb7u6
Candidate: 1.0.1e-2+deb7u6
Version table:
1.0.1g-1 0
-10 http://http.debian.net/debian/ sid/main amd64 Packages
*** 1.0.1e-2+deb7u6 0
500 http://security.debian.org/ wheezy/updates/main amd64 Packages
100 /var/lib/dpkg/status
1.0.1e-2+deb7u4 0
500 http://http.debian.net/debian/ wheezy/main amd64 Packages
I made sure all relevant services were restarted after the upgrade. I
even rebooted the (virtual) machine just to be sure. But when using the
test tool from https://github.com/FiloSottile/Heartbleed I am notified
that Apache on my server is still vulnerable:
$ ./Heartbleed well-adjusted.de:443
2014/04/08 16:30:09 ([]uint8) {
00000000 02 00 79 68 65 61 72 74 62 6c 65 65 64 2e 66 69 |..yheartbleed.fi|
00000010 6c 69 70 70 6f 2e 69 6f 59 45 4c 4c 4f 57 20 53 |lippo.ioYELLOW S|
00000020 55 42 4d 41 52 49 4e 45 6e 10 a2 39 eb 0f 73 9e |UBMARINEn..9..s.|
…
}
Dovecot is apparently fine:
$ ./Heartbleed well-adjusted.de:993
2014/04/08 16:36:19 well-adjusted.de:993 - SAFE
Am I doing anything wrong? Is the testing tool broken? I also tried the
one at https://gist.github.com/takeshixx/10107280 which confirms there
is still a problem on port 443 (HTTPS served by Apache).
J.
--
In the west we kill people like chickens.
[Agree] [Disagree]
<http://www.slowlydownward.com/NODATA/data_enter2.html>
Attachment:
signature.asc
Description: Digital signature