Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed"

• Previous message (by thread): Serious bug in ubiquitous OpenSSL library: "Heartbleed"
• Next message (by thread): Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

According to the changelog it cvs is fixed now.

$ rpm -qa|grep openssl
openssl-1.0.1e-16.el6_5.7.x86_64
openssl-devel-1.0.1e-16.el6_5.7.x86_64
Tue Apr  8 12:17:25 EDT 2014
Z643357:~
$ rpm -q --changelog openssl | less
* Mon Apr 07 2014 Tomás( Mráz <tmraz at redhat.com> 1.0.1e-16.7
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension

On 04/08/2014 12:11 PM, Jonathan Lassoff wrote:
> For testing, I've had good luck with
> https://github.com/titanous/heartbleeder and
> https://gist.github.com/takeshixx/10107280
>
> Both are mostly platform-independent, so they should be able to work even
> if you don't have a modern OpenSSL to test with.
>
> Cheers and good luck (you're going to need it),
> jof
>
> On Tue, Apr 8, 2014 at 5:03 PM, Michael Thomas <mike at mtcc.com> wrote:
>
>> Just as a data point, I checked the servers I run and it's a good thing I
>> didn't reflexively update them first.
>> On Centos 6.0, the default openssl is 1.0.0 which supposedly doesn't have
>> the vulnerability, but the
>> ones queued up for update do. I assume that redhat will get the patched
>> version soon but be careful!
>>
>> Mike
>>
>>
>> On 04/07/2014 10:06 PM, Paul Ferguson wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA256
>>>
>>> I'm really surprised no one has mentioned this here yet...
>>>
>>> FYI,
>>>
>>> - - ferg
>>>
>>>
>>>
>>> Begin forwarded message:
>>>
>>>   From: Rich Kulawiec <rsk at gsp.org> Subject: Serious bug in
>>>> ubiquitous OpenSSL library: "Heartbleed" Date: April 7, 2014 at
>>>> 9:27:40 PM EDT
>>>>
>>>> This reaches across many versions of Linux and BSD and, I'd
>>>> presume, into some versions of operating systems based on them.
>>>> OpenSSL is used in web servers, mail servers, VPNs, and many other
>>>> places.
>>>>
>>>> Writeup: Heartbleed: Serious OpenSSL zero day vulnerability
>>>> revealed
>>>> http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability-
>>>> revealed-7000028166/
>>>>
>>>>    Technical details: Heartbleed Bug http://heartbleed.com/
>>>>
>>>> OpenSSL versions affected (from link just above):  OpenSSL 1.0.1
>>>> through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT
>>>> vulnerable (released today, April 7, 2014) OpenSSL 1.0.0 branch is
>>>> NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable
>>>>
>>>>
>>> - -- Paul Ferguson
>>> VP Threat Intelligence, IID
>>> PGP Public Key ID: 0x54DC85B2
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v2.0.22 (MingW32)
>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>>
>>> iF4EAREIAAYFAlNDg9gACgkQKJasdVTchbIrAAD9HzKaElH1Tk0oIomAOoSOvfJf
>>> 3Dvt4QB54os4/yewQQ8A/0dhFZ/YuEdA81dkNfR9KIf1ZF72CyslSPxPvkDcTz5e
>>> =aAzE
>>> -----END PGP SIGNATURE-----
>>>
>>
>>


-- 
Stephen Clark
*NetWolves Managed Services, LLC.*
Director of Technology
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.clark at netwolves.com
http://www.netwolves.com

• Previous message (by thread): Serious bug in ubiquitous OpenSSL library: "Heartbleed"
• Next message (by thread): Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]