Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.os.linux.security > #481 > unrolled thread
| Started by | Steve Wolf <stevwolf58@gmail.com> |
|---|---|
| First post | 2014-04-14 07:48 -0700 |
| Last post | 2014-04-15 05:38 -0500 |
| Articles | 17 — 9 participants |
Back to article view | Back to comp.os.linux.security
heardbleed bug and openssl Steve Wolf <stevwolf58@gmail.com> - 2014-04-14 07:48 -0700
Re: heardbleed bug and openssl Keith Keller <kkeller-usenet@wombat.san-francisco.ca.us> - 2014-04-14 07:55 -0700
Re: heardbleed bug and openssl Jim Beard <jdbeard@patriot.net> - 2014-04-14 15:05 +0000
Re: heardbleed bug and openssl Aragorn <thorongil@telenet.be.invalid> - 2014-04-14 17:58 +0200
Re: heardbleed bug and openssl Steve Wolf <stevwolf58@gmail.com> - 2014-04-14 08:48 -0700
Re: heardbleed bug and openssl Keith Keller <kkeller-usenet@wombat.san-francisco.ca.us> - 2014-04-14 10:29 -0700
Re: heardbleed bug and openssl colinmarr0@gmail.com - 2014-04-14 10:48 -0700
Re: heardbleed bug and openssl "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2014-04-14 14:08 -0400
Re: heardbleed bug and openssl William Unruh <unruh@invalid.ca> - 2014-04-14 18:47 +0000
Re: heardbleed bug and openssl Joe Beanfish <joebeanfish@nospam.duh> - 2014-04-15 13:36 +0000
Re: heardbleed bug and openssl William Unruh <unruh@invalid.ca> - 2014-04-14 18:46 +0000
Re: heardbleed bug and openssl Keith Keller <kkeller-usenet@wombat.san-francisco.ca.us> - 2014-04-14 12:28 -0700
Re: heardbleed bug and openssl William Unruh <unruh@invalid.ca> - 2014-04-14 21:18 +0000
Re: heardbleed bug and openssl Keith Keller <kkeller-usenet@wombat.san-francisco.ca.us> - 2014-04-14 14:48 -0700
Re: heardbleed bug and openssl Jim Beard <jdbeard@patriot.net> - 2014-04-15 01:44 +0000
Re: heardbleed bug and openssl William Unruh <unruh@invalid.ca> - 2014-04-14 17:10 +0000
Re: heardbleed bug and openssl "Trevor Hemsley" <Trevor.Hemsley@mytrousers.ntlworld.com> - 2014-04-15 05:38 -0500
| From | Steve Wolf <stevwolf58@gmail.com> |
|---|---|
| Date | 2014-04-14 07:48 -0700 |
| Subject | heardbleed bug and openssl |
| Message-ID | <003ee7a0-e43e-491c-935a-d8f67cbe8f15@googlegroups.com> |
Can anyone tell me if the following is suceptable to the heart bleed bug. openssl-0.9.7a-43.18.el4 I dont know much about these things but they say its with version OpenSSL version 1.0.1. Can anyone tell me if this version of software is succepable to it. Thanks.
[toc] | [next] | [standalone]
| From | Keith Keller <kkeller-usenet@wombat.san-francisco.ca.us> |
|---|---|
| Date | 2014-04-14 07:55 -0700 |
| Message-ID | <lg9t1bxg7u.ln2@goaway.wombat.san-francisco.ca.us> |
| In reply to | #481 |
On 2014-04-14, Steve Wolf <stevwolf58@gmail.com> wrote: > > openssl-0.9.7a-43.18.el4 > > I dont know much about these things but they say its with version OpenSSL version 1.0.1. > > Can anyone tell me if this version of software is succepable to it. The main heartbleed bug site can. heartbleed.com Look for "What versions of the OpenSSL are affected?" --keith -- kkeller-usenet@wombat.san-francisco.ca.us (try just my userid to email me) AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt see X- headers for PGP signature information
[toc] | [prev] | [next] | [standalone]
| From | Jim Beard <jdbeard@patriot.net> |
|---|---|
| Date | 2014-04-14 15:05 +0000 |
| Message-ID | <ligtg3$ca8$1@dont-email.me> |
| In reply to | #481 |
On Mon, 14 Apr 2014 07:48:01 -0700, Steve Wolf wrote:
> Can anyone tell me if the following is suceptable to the heart bleed bug.
>
> openssl-0.9.7a-43.18.el4
>
> I dont know much about these things but they say its with version OpenSSL version 1.0.1.
>
> Can anyone tell me if this version of software is succepable to it.
IIRC, the g version is not susceptible (and versions before introduction of the
vulnerability likewse), but the above is the e version and vulnerable.
Cheers!
jim b.
--
UNIX is not user-unfriendly; it merely
expects users to be computer-friendly.
[toc] | [prev] | [next] | [standalone]
| From | Aragorn <thorongil@telenet.be.invalid> |
|---|---|
| Date | 2014-04-14 17:58 +0200 |
| Message-ID | <lih0j0$76v$1@dont-email.me> |
| In reply to | #483 |
On Monday 14 April 2014 17:05, Jim Beard conveyed the following to
comp.os.linux.security...
> On Mon, 14 Apr 2014 07:48:01 -0700, Steve Wolf wrote:
>
>> Can anyone tell me if the following is suceptable to the heart bleed
>> bug.
>>
>> openssl-0.9.7a-43.18.el4
>>
>> I dont know much about these things but they say its with version
>> OpenSSL version 1.0.1.
>>
>> Can anyone tell me if this version of software is succepable to it.
>
> IIRC, the g version is not susceptible (and versions before
> introduction of the vulnerability likewse), but the above is the e
> version and vulnerable.
Not quite. Look at the version number, Jim.
He's got 0.9.7. The vulnerability was only introduced in 1.0.1. 1.0.0
and 0.x.x versions are unaffected.
--
= Aragorn =
http://www.linuxcounter.net - registrant #223157
[toc] | [prev] | [next] | [standalone]
| From | Steve Wolf <stevwolf58@gmail.com> |
|---|---|
| Date | 2014-04-14 08:48 -0700 |
| Message-ID | <2bd15321-3344-4d97-ab58-784b410ea490@googlegroups.com> |
| In reply to | #481 |
Thanks for the answers, According to the article that was pointed out by Keith K, Im NOT susceptible. --------------------------------------------------------- What versions of the OpenSSL are affected? Status of different versions: OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT vulnerable OpenSSL 1.0.0 branch is NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug. ---------------------------------------------------------------- If I read my version correctly I have 0.7 This is not 1.0.1 through 1.0.1f Thus mine is not affected ?? Yet Jim says it is. Am I reading something incorrectly. I dont know much about all this version info. thanks.
[toc] | [prev] | [next] | [standalone]
| From | Keith Keller <kkeller-usenet@wombat.san-francisco.ca.us> |
|---|---|
| Date | 2014-04-14 10:29 -0700 |
| Message-ID | <dhit1bxfn.ln2@goaway.wombat.san-francisco.ca.us> |
| In reply to | #484 |
On 2014-04-14, Steve Wolf <stevwolf58@gmail.com> wrote: > If I read my version correctly I have 0.7 If you posted correctly you have some version of 0.9.7. > This is not 1.0.1 through 1.0.1f > Thus mine is not affected ?? Yet Jim says it is. Jim is incorrect. If you are running a network service, you can test it using this URL (which has a good reputation, though may still be collating vulnerable services for later attack): https://filippo.io/Heartbleed/ Or you can download source code and test your services yourself: https://github.com/FiloSottile/Heartbleed I don't currently know a way of testing libraries client-side. --keith -- kkeller-usenet@wombat.san-francisco.ca.us (try just my userid to email me) AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt see X- headers for PGP signature information
[toc] | [prev] | [next] | [standalone]
| From | colinmarr0@gmail.com |
|---|---|
| Date | 2014-04-14 10:48 -0700 |
| Message-ID | <fb0f7494-d5fb-45ea-9c2b-17723aa82dd7@googlegroups.com> |
| In reply to | #487 |
Thanks. It looks like Im safe from that. Its a funny thing isnt it, If you have the old version it's safe if you have the new version its not safe. I will take a look at the link you have provided, Thanks.
[toc] | [prev] | [next] | [standalone]
| From | "David W. Hodgins" <dwhodgins@nomail.afraid.org> |
|---|---|
| Date | 2014-04-14 14:08 -0400 |
| Message-ID | <op.xebjb4ava3w0dxdave@hodgins.homeip.net> |
| In reply to | #488 |
On Mon, 14 Apr 2014 13:48:31 -0400, <colinmarr0@gmail.com> wrote: > Its a funny thing isnt it, If you have the old version it's safe if you have the new version its not safe. Actually, it doesn't. $ rpm -q --changelog openssl|grep CVE - add upstream patch to fix CVE-2014-0160 - add patch from upstream via opensuse to fix CVE-2014-0076 - add upstream patch to fix CVE-2013-6450 - use upstream patch to fix CVE 2013-4353 - add patch from fedora to fix CVE-2013-6449 - 1.0.0j (fixes CVE-2012-2333) - new version (fix CVE 2012-2110) That's within the last 3 years which only goes back to 1.0.0. I have no idea if any of those security problems also affected the prior versions, but I would not assume the 2014-0160 is the only one that doesn't. Regards, Dave Hodgins -- Change nomail.afraid.org to ody.ca to reply by email. (nomail.afraid.org has been set up specifically for use in usenet. Feel free to use it yourself.)
[toc] | [prev] | [next] | [standalone]
| From | William Unruh <unruh@invalid.ca> |
|---|---|
| Date | 2014-04-14 18:47 +0000 |
| Message-ID | <lihafh$lg1$2@dont-email.me> |
| In reply to | #488 |
On 2014-04-14, colinmarr0@gmail.com <colinmarr0@gmail.com> wrote: > Thanks. > It looks like Im safe from that. > Its a funny thing isnt it, If you have the old version it's safe if you have the new version its not safe. New additions (heartbeat) can mean new bugs.
[toc] | [prev] | [next] | [standalone]
| From | Joe Beanfish <joebeanfish@nospam.duh> |
|---|---|
| Date | 2014-04-15 13:36 +0000 |
| Message-ID | <lijcki$p2u$1@dont-email.me> |
| In reply to | #488 |
On Mon, 14 Apr 2014 10:48:31 -0700, colinmarr0 wrote: >> Can anyone tell me if the following is suceptable to the heart bleed >> bug. >> >> openssl-0.9.7a-43.18.el4 >> > Thanks. > It looks like Im safe from that. > Its a funny thing isnt it, If you have the old version it's safe if you > have the new version its not safe. > > I will take a look at the link you have provided, > Thanks. You're not susceptible to heartbleed, but you're most likely susceptible to a plethora of other bugs fixed between 0.9.7a and 1.0.1. Some fixes have been backported to redhat's flavor of 0.9.7 but not all.
[toc] | [prev] | [next] | [standalone]
| From | William Unruh <unruh@invalid.ca> |
|---|---|
| Date | 2014-04-14 18:46 +0000 |
| Message-ID | <lihadn$lg1$1@dont-email.me> |
| In reply to | #487 |
On 2014-04-14, Keith Keller <kkeller-usenet@wombat.san-francisco.ca.us> wrote: > On 2014-04-14, Steve Wolf <stevwolf58@gmail.com> wrote: >> If I read my version correctly I have 0.7 > > If you posted correctly you have some version of 0.9.7. > >> This is not 1.0.1 through 1.0.1f >> Thus mine is not affected ?? Yet Jim says it is. > > Jim is incorrect. > > If you are running a network service, you can test it using this URL > (which has a good reputation, though may still be collating vulnerable > services for later attack): > > https://filippo.io/Heartbleed/ > > Or you can download source code and test your services yourself: > > https://github.com/FiloSottile/Heartbleed > > I don't currently know a way of testing libraries client-side. But if your browser does not listen on 443, this will not work even if your ssl library is bad. And if you have no browser, but have say imap running it also will not tell you that ssl is bad. > > --keith >
[toc] | [prev] | [next] | [standalone]
| From | Keith Keller <kkeller-usenet@wombat.san-francisco.ca.us> |
|---|---|
| Date | 2014-04-14 12:28 -0700 |
| Message-ID | <pgpt1bxvg2.ln2@goaway.wombat.san-francisco.ca.us> |
| In reply to | #490 |
On 2014-04-14, William Unruh <unruh@invalid.ca> wrote: >> >> https://filippo.io/Heartbleed/ >> >> Or you can download source code and test your services yourself: >> >> https://github.com/FiloSottile/Heartbleed >> >> I don't currently know a way of testing libraries client-side. > > But if your browser does not listen on 443, this will not work even if > your ssl library is bad. Of course, which is exactly why I specifically wrote "I don't currently know a way of testing libraries client-side". > And if you have no browser, but have say imap > running it also will not tell you that ssl is bad. Actually, it can test any listener. If you point the filippo tester to Gmail's imaps server it passes. --keith -- kkeller-usenet@wombat.san-francisco.ca.us (try just my userid to email me) AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt see X- headers for PGP signature information
[toc] | [prev] | [next] | [standalone]
| From | William Unruh <unruh@invalid.ca> |
|---|---|
| Date | 2014-04-14 21:18 +0000 |
| Message-ID | <lihjbc$p8l$1@dont-email.me> |
| In reply to | #492 |
On 2014-04-14, Keith Keller <kkeller-usenet@wombat.san-francisco.ca.us> wrote: > On 2014-04-14, William Unruh <unruh@invalid.ca> wrote: >>> >>> https://filippo.io/Heartbleed/ >>> >>> Or you can download source code and test your services yourself: >>> >>> https://github.com/FiloSottile/Heartbleed >>> >>> I don't currently know a way of testing libraries client-side. >> >> But if your browser does not listen on 443, this will not work even if >> your ssl library is bad. > > Of course, which is exactly why I specifically wrote "I don't currently > know a way of testing libraries client-side". Those are NOT client side, those are server side. Imap server, pop server, http server are all servers. Now if your server does not listen on 443 then you might say that it is safe anyway, except you could have opened some other port for https Also your server could server other ssl reliant stuff and the test will not find them. > >> And if you have no browser, but have say imap >> running it also will not tell you that ssl is bad. > > Actually, it can test any listener. If you point the filippo tester to > Gmail's imaps server it passes. Yes, if you happen to know the ports. Ie, it will test gmail's imap server on port 443. But that is not what imap listens to. You can tell it to test the approriate port, but most people have no idea what that is. So if you point that site to gmail's imap server, but use the default port 443, that may tell you that the site is OK but that will be pretty useless. (actually it will probably more helpfully tell you that the server does not respond on port 443. But then even valid servers often do not respond to port 443 when they are busy.) > > --keith >
[toc] | [prev] | [next] | [standalone]
| From | Keith Keller <kkeller-usenet@wombat.san-francisco.ca.us> |
|---|---|
| Date | 2014-04-14 14:48 -0700 |
| Message-ID | <1n1u1bx3c4.ln2@goaway.wombat.san-francisco.ca.us> |
| In reply to | #493 |
On 2014-04-14, William Unruh <unruh@invalid.ca> wrote: > > Yes, if you happen to know the ports. Ie, it will test gmail's imap > server on port 443. But that is not what imap listens to. You can tell > it to test the approriate port, but most people have no idea what that > is. If the OP is running his own local services (which is the context in which the testers came up) then presumably he knows what ports they are running on. (And if not he probably shouldn't be running them in the first place.) > So if you point that site to gmail's imap server, but use the default > port 443, that may tell you that the site is OK but that will be pretty > useless. (actually it will probably more helpfully tell you that the > server does not respond on port 443. But then even valid servers often > do not respond to port 443 when they are busy.) The tester returns one of three results: pass, fail, or unknown. A server that doesn't respond in time returns unknown, not pass or fail. It doesn't return OK unless it's actually OK. In theory, of course; there could be a bug in the heartbleed bug checker. ;-) --keith -- kkeller-usenet@wombat.san-francisco.ca.us (try just my userid to email me) AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt see X- headers for PGP signature information
[toc] | [prev] | [next] | [standalone]
| From | Jim Beard <jdbeard@patriot.net> |
|---|---|
| Date | 2014-04-15 01:44 +0000 |
| Message-ID | <lii2t6$qk9$1@dont-email.me> |
| In reply to | #484 |
On Mon, 14 Apr 2014 08:48:55 -0700, Steve Wolf wrote:
> Thanks for the answers,
>
> According to the article that was pointed out by Keith K, Im NOT susceptible.
> ---------------------------------------------------------
> What versions of the OpenSSL are affected?
>
> Status of different versions:
>
> OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
> OpenSSL 1.0.1g is NOT vulnerable
> OpenSSL 1.0.0 branch is NOT vulnerable
> OpenSSL 0.9.8 branch is NOT vulnerable
> Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
> ----------------------------------------------------------------
>
> If I read my version correctly I have 0.7
> This is not 1.0.1 through 1.0.1f
> Thus mine is not affected ?? Yet Jim says it is.
>
> Am I reading something incorrectly. I dont know much about all this version info.
> thanks.
My post assumed you had the current (1.0.1 version). As stated, versions before
introduction of the vulnerability (2011) are not vulnerable.
My failure to check your version to make sure it was current version,
and failure to explicitly state my assumption, clearly makes this my bad.
I stand corrected.
Apologies
jim b.
--
UNIX is not user-unfriendly; it merely
expects users to be computer-friendly.
[toc] | [prev] | [next] | [standalone]
| From | William Unruh <unruh@invalid.ca> |
|---|---|
| Date | 2014-04-14 17:10 +0000 |
| Message-ID | <lih4q7$1so$5@dont-email.me> |
| In reply to | #481 |
On 2014-04-14, Steve Wolf <stevwolf58@gmail.com> wrote: > Can anyone tell me if the following is suceptable to the heart bleed bug. > > openssl-0.9.7a-43.18.el4 > > I dont know much about these things but they say its with version OpenSSL version 1.0.1. From what I have read, no it is not. Heartbeat was only introduced in 1.0.1 > > Can anyone tell me if this version of software is succepable to it. > > Thanks.
[toc] | [prev] | [next] | [standalone]
| From | "Trevor Hemsley" <Trevor.Hemsley@mytrousers.ntlworld.com> |
|---|---|
| Date | 2014-04-15 05:38 -0500 |
| Message-ID | <gjxI70UYBlcC-pn2-TDdRE0w2ZKUm@trevor2.dsl.pipex.com> |
| In reply to | #481 |
On Mon, 14 Apr 2014 14:48:01 UTC in comp.os.linux.security, Steve Wolf <stevwolf58@gmail.com> wrote: > Can anyone tell me if the following is suceptable to the heart bleed bug. > > openssl-0.9.7a-43.18.el4 No, you are not vulnerable to heartbeat. But, unless you have an extended update support agreement in place with Redhat, you are running a version of Enterprise Linux 4.x which has been out of support for more than 2 years and has received NO security updates to any of its packages for at least that time. Depending on how long ago before that it was that you last ran up2date (on RHEL) or yum update (on CentOS) you could be *years* behind on security patches. The end of support for CentOS 4 was the end of February 2012. You should urgently look at either getting a RH EUS to keep that box in maintenance or migrate to a supported version of the operating system ASAP - Heartbleed is not the only security vulnerability around, it's just the most prominent at the current time. -- Trevor Hemsley, Brighton, UK Trevor dot Hemsley at ntlworld dot com
[toc] | [prev] | [standalone]
Back to top | Article view | comp.os.linux.security
csiph-web