Serious bug in ubiquitous OpenSSL library: "Heartbleed"

Tue Apr 8 17:07:00 UTC 2014

Here's mine, written in Go:

http://code.google.com/p/mxk/source/browse/go1/tlshb/

To build the binary, install Mercurial, install Go (golang.org), set
GOPATH to some empty directory, then run:

go get code.google.com/p/mxk/go1/tlshb

- Max

On Tue, Apr 8, 2014 at 12:16 PM, Patrick W. Gilmore <patrick at ianai.net> wrote:
> Lots of tools available. I'm with ferg, surprised more haven't been mentioned here.
>
> Tools to check for the bug:
>         • on your own box: https://github.com/musalbas/heartbleed-masstest/blob/master/ssltest.py
>         • online: http://filippo.io/Heartbleed/ (use carefully as they might log what you check)
>         • online: http://possible.lv/tools/hb/
>         • offline: https://github.com/tdussa/heartbleed-masstest <--- Tobias Dussa, also Takes a CSV file with host names for input and ports as parameter
>         • offline: http://s3.jspenguin.org/ssltest.py
>         • offline: https://github.com/titanous/heartbleeder
>
> List of vulnerable Linux distributions: <http://www.circl.lu/pub/tr-21/>.
>
> Anyone have any more?
>
> --
> TTFN,
> patrick
>
>
> On Apr 08, 2014, at 12:11 , Jonathan Lassoff <jof at thejof.com> wrote:
>
>> For testing, I've had good luck with
>> https://github.com/titanous/heartbleeder and
>> https://gist.github.com/takeshixx/10107280
>>
>> Both are mostly platform-independent, so they should be able to work even
>> if you don't have a modern OpenSSL to test with.
>>
>> Cheers and good luck (you're going to need it),
>> jof
>>
>> On Tue, Apr 8, 2014 at 5:03 PM, Michael Thomas <mike at mtcc.com> wrote:
>>
>>> Just as a data point, I checked the servers I run and it's a good thing I
>>> didn't reflexively update them first.
>>> On Centos 6.0, the default openssl is 1.0.0 which supposedly doesn't have
>>> the vulnerability, but the
>>> ones queued up for update do. I assume that redhat will get the patched
>>> version soon but be careful!
>>>
>>> Mike
>>>
>>>
>>> On 04/07/2014 10:06 PM, Paul Ferguson wrote:
>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA256
>>>>
>>>> I'm really surprised no one has mentioned this here yet...
>>>>
>>>> FYI,
>>>>
>>>> - - ferg
>>>>
>>>>
>>>>
>>>> Begin forwarded message:
>>>>
>>>> From: Rich Kulawiec <rsk at gsp.org> Subject: Serious bug in
>>>>> ubiquitous OpenSSL library: "Heartbleed" Date: April 7, 2014 at
>>>>> 9:27:40 PM EDT
>>>>>
>>>>> This reaches across many versions of Linux and BSD and, I'd
>>>>> presume, into some versions of operating systems based on them.
>>>>> OpenSSL is used in web servers, mail servers, VPNs, and many other
>>>>> places.
>>>>>
>>>>> Writeup: Heartbleed: Serious OpenSSL zero day vulnerability
>>>>> revealed
>>>>> http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability-
>>>>> revealed-7000028166/
>>>>>
>>>>>  Technical details: Heartbleed Bug http://heartbleed.com/
>>>>>
>>>>> OpenSSL versions affected (from link just above):  OpenSSL 1.0.1
>>>>> through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT
>>>>> vulnerable (released today, April 7, 2014) OpenSSL 1.0.0 branch is
>>>>> NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable
>>>>>
>>>>>
>>>> - -- Paul Ferguson
>>>> VP Threat Intelligence, IID
>>>> PGP Public Key ID: 0x54DC85B2
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v2.0.22 (MingW32)
>>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>>>
>>>> iF4EAREIAAYFAlNDg9gACgkQKJasdVTchbIrAAD9HzKaElH1Tk0oIomAOoSOvfJf
>>>> 3Dvt4QB54os4/yewQQ8A/0dhFZ/YuEdA81dkNfR9KIf1ZF72CyslSPxPvkDcTz5e
>>>> =aAzE
>>>> -----END PGP SIGNATURE-----
>>>>
>>>
>>>
>>>
>