Scott Ferguson: > On 09/04/14 00:49, Jochen Spieker wrote: >> >> as many others, I patched my machines today because of the horrible >> OpenSSL bug: >> >> $ apt-cache policy libssl1.0.0 >> libssl1.0.0: >> Installed: 1.0.1e-2+deb7u6 >> Candidate: 1.0.1e-2+deb7u6 >> Version table: >> 1.0.1g-1 0 >> -10 http://http.debian.net/debian/ sid/main amd64 Packages >> *** 1.0.1e-2+deb7u6 0 >> 500 http://security.debian.org/ wheezy/updates/main amd64 Packages >> 100 /var/lib/dpkg/status >> 1.0.1e-2+deb7u4 0 >> 500 http://http.debian.net/debian/ wheezy/main amd64 Packages >> >> I made sure all relevant services were restarted after the upgrade. > > # ps uwwp $(find /proc -maxdepth 2 -name maps -exec grep -HE > '/libssl\.so.* \(deleted\)' {} \; | cut -d/ -f3 | sort -u) Doesn't work here because the find command produces no output. As I said, I already rebooted the machine so it is impossible that Apache uses a deleted file. > *Then regenerate keys* Yes, I still need to do that. >> I >> even rebooted the (virtual) machine just to be sure. But when using the >> test tool from https://github.com/FiloSottile/Heartbleed I am notified >> that Apache on my server is still vulnerable: > > Notice on http://filippo.io/Heartbleed/ > "There are load (?) issues causing FALSE NEGATIVES." This only applies to the web version. The command line program that I used is not affected. >> Am I doing anything wrong? Is the testing tool broken? I also tried the >> one at https://gist.github.com/takeshixx/10107280 which confirms there >> is still a problem on port 443 (HTTPS served by Apache). > > That test tool was updated a few hours ago to include checks for > patches. You may find you now get "Version number indicates vulnerable, > but your build is recent so may be patched." I have the most recent version and it still reports my system to be vulnerable. > Use the code I quoted above to double check you restarted all relevant > services and daemons. All our servers test fine (as being patched) - but > we shut down completely for the key replacement process and some won't > be back on line until tomorrow. At this point we don't know whether to > consider everything potentially compromised - or only the last week or > so..... :( I think the most important thing is to patch the systems and to replace all certificates. But then I only run private systems with less than a dozen users. J. -- When standing at the top of beachy head I find the rocks below very attractive. [Agree] [Disagree] <http://www.slowlydownward.com/NODATA/data_enter2.html>
Attachment:
signature.asc
Description: Digital signature