Hi, as many others, I patched my machines today because of the horrible OpenSSL bug: $ apt-cache policy libssl1.0.0 libssl1.0.0: Installed: 1.0.1e-2+deb7u6 Candidate: 1.0.1e-2+deb7u6 Version table: 1.0.1g-1 0 -10 http://http.debian.net/debian/ sid/main amd64 Packages *** 1.0.1e-2+deb7u6 0 500 http://security.debian.org/ wheezy/updates/main amd64 Packages 100 /var/lib/dpkg/status 1.0.1e-2+deb7u4 0 500 http://http.debian.net/debian/ wheezy/main amd64 Packages I made sure all relevant services were restarted after the upgrade. I even rebooted the (virtual) machine just to be sure. But when using the test tool from https://github.com/FiloSottile/Heartbleed I am notified that Apache on my server is still vulnerable: $ ./Heartbleed well-adjusted.de:443 2014/04/08 16:30:09 ([]uint8) { 00000000 02 00 79 68 65 61 72 74 62 6c 65 65 64 2e 66 69 |..yheartbleed.fi| 00000010 6c 69 70 70 6f 2e 69 6f 59 45 4c 4c 4f 57 20 53 |lippo.ioYELLOW S| 00000020 55 42 4d 41 52 49 4e 45 6e 10 a2 39 eb 0f 73 9e |UBMARINEn..9..s.| … } Dovecot is apparently fine: $ ./Heartbleed well-adjusted.de:993 2014/04/08 16:36:19 well-adjusted.de:993 - SAFE Am I doing anything wrong? Is the testing tool broken? I also tried the one at https://gist.github.com/takeshixx/10107280 which confirms there is still a problem on port 443 (HTTPS served by Apache). J. -- In the west we kill people like chickens. [Agree] [Disagree] <http://www.slowlydownward.com/NODATA/data_enter2.html>
Attachment:
signature.asc
Description: Digital signature