Scott Ferguson:
> On 09/04/14 00:49, Jochen Spieker wrote:
>>
>> as many others, I patched my machines today because of the horrible
>> OpenSSL bug:
>>
>> $ apt-cache policy libssl1.0.0
>> libssl1.0.0:
>> Installed: 1.0.1e-2+deb7u6
>> Candidate: 1.0.1e-2+deb7u6
>> Version table:
>> 1.0.1g-1 0
>> -10 http://http.debian.net/debian/ sid/main amd64 Packages
>> *** 1.0.1e-2+deb7u6 0
>> 500 http://security.debian.org/ wheezy/updates/main amd64 Packages
>> 100 /var/lib/dpkg/status
>> 1.0.1e-2+deb7u4 0
>> 500 http://http.debian.net/debian/ wheezy/main amd64 Packages
>>
>> I made sure all relevant services were restarted after the upgrade.
>
> # ps uwwp $(find /proc -maxdepth 2 -name maps -exec grep -HE
> '/libssl\.so.* \(deleted\)' {} \; | cut -d/ -f3 | sort -u)
Doesn't work here because the find command produces no output. As I
said, I already rebooted the machine so it is impossible that Apache
uses a deleted file.
> *Then regenerate keys*
Yes, I still need to do that.
>> I
>> even rebooted the (virtual) machine just to be sure. But when using the
>> test tool from https://github.com/FiloSottile/Heartbleed I am notified
>> that Apache on my server is still vulnerable:
>
> Notice on http://filippo.io/Heartbleed/
> "There are load (?) issues causing FALSE NEGATIVES."
This only applies to the web version. The command line program that I
used is not affected.
>> Am I doing anything wrong? Is the testing tool broken? I also tried the
>> one at https://gist.github.com/takeshixx/10107280 which confirms there
>> is still a problem on port 443 (HTTPS served by Apache).
>
> That test tool was updated a few hours ago to include checks for
> patches. You may find you now get "Version number indicates vulnerable,
> but your build is recent so may be patched."
I have the most recent version and it still reports my system to be
vulnerable.
> Use the code I quoted above to double check you restarted all relevant
> services and daemons. All our servers test fine (as being patched) - but
> we shut down completely for the key replacement process and some won't
> be back on line until tomorrow. At this point we don't know whether to
> consider everything potentially compromised - or only the last week or
> so..... :(
I think the most important thing is to patch the systems and to replace
all certificates. But then I only run private systems with less than a
dozen users.
J.
--
When standing at the top of beachy head I find the rocks below very
attractive.
[Agree] [Disagree]
<http://www.slowlydownward.com/NODATA/data_enter2.html>
Attachment:
signature.asc
Description: Digital signature