Re: OpenSSL Heartbleed bug, Apache still vulnerable?

To: debian-user@lists.debian.org
Subject: Re: OpenSSL Heartbleed bug, Apache still vulnerable?
From: Scott Ferguson <scott.ferguson.debian.user@gmail.com>
Date: Wed, 09 Apr 2014 01:32:02 +1000
Message-id: <[🔎] 53441672.1000604@gmail.com>
In-reply-to: <[🔎] 20140408144912.GA21675@well-adjusted.de>
References: <[🔎] 20140408144912.GA21675@well-adjusted.de>

On 09/04/14 00:49, Jochen Spieker wrote:
> Hi,
> 
> as many others, I patched my machines today because of the horrible
> OpenSSL bug:
> 
> $ apt-cache policy libssl1.0.0
> libssl1.0.0:
>   Installed: 1.0.1e-2+deb7u6
>   Candidate: 1.0.1e-2+deb7u6
>   Version table:
>      1.0.1g-1 0
>         -10 http://http.debian.net/debian/ sid/main amd64 Packages
>  *** 1.0.1e-2+deb7u6 0
>         500 http://security.debian.org/ wheezy/updates/main amd64 Packages
>         100 /var/lib/dpkg/status
>      1.0.1e-2+deb7u4 0
>         500 http://http.debian.net/debian/ wheezy/main amd64 Packages
> 
> I made sure all relevant services were restarted after the upgrade.

# ps uwwp $(find /proc -maxdepth 2 -name maps -exec grep -HE
'/libssl\.so.* \(deleted\)' {} \; | cut -d/ -f3 | sort -u)

*Then regenerate keys*

> I
> even rebooted the (virtual) machine just to be sure. But when using the
> test tool from https://github.com/FiloSottile/Heartbleed I am notified
> that Apache on my server is still vulnerable:


Notice on http://filippo.io/Heartbleed/
"There are load (?) issues causing FALSE NEGATIVES."


> 
> $ ./Heartbleed well-adjusted.de:443
> 2014/04/08 16:30:09 ([]uint8) {
>  00000000  02 00 79 68 65 61 72 74  62 6c 65 65 64 2e 66 69  |..yheartbleed.fi|
>  00000010  6c 69 70 70 6f 2e 69 6f  59 45 4c 4c 4f 57 20 53  |lippo.ioYELLOW S|
>  00000020  55 42 4d 41 52 49 4e 45  6e 10 a2 39 eb 0f 73 9e  |UBMARINEn..9..s.|
> …
> }
> 
> Dovecot is apparently fine:
> 
> $ ./Heartbleed well-adjusted.de:993
> 2014/04/08 16:36:19 well-adjusted.de:993 - SAFE
> 
> Am I doing anything wrong? Is the testing tool broken? I also tried the
> one at https://gist.github.com/takeshixx/10107280 which confirms there
> is still a problem on port 443 (HTTPS served by Apache).

That test tool was updated a few hours ago to include checks for
patches. You may find you now get "Version number indicates vulnerable,
but your build is recent so may be patched."

Restart apache2, if you can, reboot.

> 
> J.
> 

Use the code I quoted above to double check you restarted all relevant
services and daemons. All our servers test fine (as being patched) - but
we shut down completely for the key replacement process and some won't
be back on line until tomorrow. At this point we don't know whether to
consider everything potentially compromised - or only the last week or
so..... :(


Kind regards

Reply to:

Follow-Ups:
- Re: OpenSSL Heartbleed bug, Apache still vulnerable?
  - From: Jochen Spieker <ml@well-adjusted.de>

References:
- OpenSSL Heartbleed bug, Apache still vulnerable?
  - From: Jochen Spieker <ml@well-adjusted.de>

Prev by Date: Re: vesa mode code?
Next by Date: Re: vesa mode code?
Previous by thread: Re: OpenSSL Heartbleed bug, Apache still vulnerable?
Next by thread: Re: OpenSSL Heartbleed bug, Apache still vulnerable?
Index(es):
- Date
- Thread