Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed"
Richard Hesse
richard.hesse at weebly.com
Tue Apr 8 16:08:50 UTC 2014
The updated CentOS openssl binaries haven't patched the underlying bug, but
they have disabled the heartbeat functionality. By doing so, they've
disabled the attack vector. Once upstream releases a fix, they will
re-enable the heartbeat function with the working patch.
And yes, don't forget to restart any linked services after updating.
-richard
On Tue, Apr 8, 2014 at 9:03 AM, Michael Thomas <mike at mtcc.com> wrote:
> Just as a data point, I checked the servers I run and it's a good thing I
> didn't reflexively update them first.
> On Centos 6.0, the default openssl is 1.0.0 which supposedly doesn't have
> the vulnerability, but the
> ones queued up for update do. I assume that redhat will get the patched
> version soon but be careful!
>
> Mike
>
>
> On 04/07/2014 10:06 PM, Paul Ferguson wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> I'm really surprised no one has mentioned this here yet...
>>
>> FYI,
>>
>> - - ferg
>>
>>
>>
>> Begin forwarded message:
>>
>> From: Rich Kulawiec <rsk at gsp.org> Subject: Serious bug in
>>> ubiquitous OpenSSL library: "Heartbleed" Date: April 7, 2014 at
>>> 9:27:40 PM EDT
>>>
>>> This reaches across many versions of Linux and BSD and, I'd
>>> presume, into some versions of operating systems based on them.
>>> OpenSSL is used in web servers, mail servers, VPNs, and many other
>>> places.
>>>
>>> Writeup: Heartbleed: Serious OpenSSL zero day vulnerability
>>> revealed
>>> http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability-
>>> revealed-7000028166/
>>>
>>> Technical details: Heartbleed Bug http://heartbleed.com/
>>>
>>> OpenSSL versions affected (from link just above): OpenSSL 1.0.1
>>> through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT
>>> vulnerable (released today, April 7, 2014) OpenSSL 1.0.0 branch is
>>> NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable
>>>
>>>
>> - -- Paul Ferguson
>> VP Threat Intelligence, IID
>> PGP Public Key ID: 0x54DC85B2
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2.0.22 (MingW32)
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iF4EAREIAAYFAlNDg9gACgkQKJasdVTchbIrAAD9HzKaElH1Tk0oIomAOoSOvfJf
>> 3Dvt4QB54os4/yewQQ8A/0dhFZ/YuEdA81dkNfR9KIf1ZF72CyslSPxPvkDcTz5e
>> =aAzE
>> -----END PGP SIGNATURE-----
>>
>
>
>
More information about the NANOG
mailing list