Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]


Groups > comp.os.linux.security > #481 > unrolled thread

heardbleed bug and openssl

Started bySteve Wolf <stevwolf58@gmail.com>
First post2014-04-14 07:48 -0700
Last post2014-04-15 05:38 -0500
Articles 17 — 9 participants

Back to article view | Back to comp.os.linux.security


Contents

  heardbleed bug and openssl Steve Wolf <stevwolf58@gmail.com> - 2014-04-14 07:48 -0700
    Re: heardbleed bug and openssl Keith Keller <kkeller-usenet@wombat.san-francisco.ca.us> - 2014-04-14 07:55 -0700
    Re: heardbleed bug and openssl Jim Beard <jdbeard@patriot.net> - 2014-04-14 15:05 +0000
      Re: heardbleed bug and openssl Aragorn <thorongil@telenet.be.invalid> - 2014-04-14 17:58 +0200
    Re: heardbleed bug and openssl Steve Wolf <stevwolf58@gmail.com> - 2014-04-14 08:48 -0700
      Re: heardbleed bug and openssl Keith Keller <kkeller-usenet@wombat.san-francisco.ca.us> - 2014-04-14 10:29 -0700
        Re: heardbleed bug and openssl colinmarr0@gmail.com - 2014-04-14 10:48 -0700
          Re: heardbleed bug and openssl "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2014-04-14 14:08 -0400
          Re: heardbleed bug and openssl William Unruh <unruh@invalid.ca> - 2014-04-14 18:47 +0000
          Re: heardbleed bug and openssl Joe Beanfish <joebeanfish@nospam.duh> - 2014-04-15 13:36 +0000
        Re: heardbleed bug and openssl William Unruh <unruh@invalid.ca> - 2014-04-14 18:46 +0000
          Re: heardbleed bug and openssl Keith Keller <kkeller-usenet@wombat.san-francisco.ca.us> - 2014-04-14 12:28 -0700
            Re: heardbleed bug and openssl William Unruh <unruh@invalid.ca> - 2014-04-14 21:18 +0000
              Re: heardbleed bug and openssl Keith Keller <kkeller-usenet@wombat.san-francisco.ca.us> - 2014-04-14 14:48 -0700
      Re: heardbleed bug and openssl Jim Beard <jdbeard@patriot.net> - 2014-04-15 01:44 +0000
    Re: heardbleed bug and openssl William Unruh <unruh@invalid.ca> - 2014-04-14 17:10 +0000
    Re: heardbleed bug and openssl "Trevor Hemsley" <Trevor.Hemsley@mytrousers.ntlworld.com> - 2014-04-15 05:38 -0500

#481 — heardbleed bug and openssl

FromSteve Wolf <stevwolf58@gmail.com>
Date2014-04-14 07:48 -0700
Subjectheardbleed bug and openssl
Message-ID<003ee7a0-e43e-491c-935a-d8f67cbe8f15@googlegroups.com>
Can anyone tell me if the following is suceptable to the heart bleed bug.

openssl-0.9.7a-43.18.el4

I dont know much about these things but they say its with version OpenSSL version 1.0.1.

Can anyone tell me if this version of software is succepable to it.

Thanks.

[toc] | [next] | [standalone]


#482

FromKeith Keller <kkeller-usenet@wombat.san-francisco.ca.us>
Date2014-04-14 07:55 -0700
Message-ID<lg9t1bxg7u.ln2@goaway.wombat.san-francisco.ca.us>
In reply to#481
On 2014-04-14, Steve Wolf <stevwolf58@gmail.com> wrote:
>
> openssl-0.9.7a-43.18.el4
>
> I dont know much about these things but they say its with version OpenSSL version 1.0.1.
>
> Can anyone tell me if this version of software is succepable to it.

The main heartbleed bug site can.

heartbleed.com

Look for "What versions of the OpenSSL are affected?"

--keith

-- 
kkeller-usenet@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information

[toc] | [prev] | [next] | [standalone]


#483

FromJim Beard <jdbeard@patriot.net>
Date2014-04-14 15:05 +0000
Message-ID<ligtg3$ca8$1@dont-email.me>
In reply to#481
On Mon, 14 Apr 2014 07:48:01 -0700, Steve Wolf wrote:

> Can anyone tell me if the following is suceptable to the heart bleed bug.
> 
> openssl-0.9.7a-43.18.el4
> 
> I dont know much about these things but they say its with version OpenSSL version 1.0.1.
> 
> Can anyone tell me if this version of software is succepable to it.

IIRC, the g version is not susceptible (and versions before introduction of the 
vulnerability likewse), but the above is the e version and vulnerable.

Cheers!

jim b.



-- 
UNIX is not user-unfriendly; it merely
     expects users to be computer-friendly.

[toc] | [prev] | [next] | [standalone]


#485

FromAragorn <thorongil@telenet.be.invalid>
Date2014-04-14 17:58 +0200
Message-ID<lih0j0$76v$1@dont-email.me>
In reply to#483
On Monday 14 April 2014 17:05, Jim Beard conveyed the following to 
comp.os.linux.security...

> On Mon, 14 Apr 2014 07:48:01 -0700, Steve Wolf wrote:
> 
>> Can anyone tell me if the following is suceptable to the heart bleed
>> bug.
>> 
>> openssl-0.9.7a-43.18.el4
>> 
>> I dont know much about these things but they say its with version
>> OpenSSL version 1.0.1.
>> 
>> Can anyone tell me if this version of software is succepable to it.
> 
> IIRC, the g version is not susceptible (and versions before
> introduction of the vulnerability likewse), but the above is the e
> version and vulnerable.

Not quite.  Look at the version number, Jim. 

He's got 0.9.7.  The vulnerability was only introduced in 1.0.1.  1.0.0 
and 0.x.x versions are unaffected.

-- 
= Aragorn =

         http://www.linuxcounter.net - registrant #223157

[toc] | [prev] | [next] | [standalone]


#484

FromSteve Wolf <stevwolf58@gmail.com>
Date2014-04-14 08:48 -0700
Message-ID<2bd15321-3344-4d97-ab58-784b410ea490@googlegroups.com>
In reply to#481
Thanks for the answers,

According to the article that was pointed out by Keith K, Im NOT susceptible.
---------------------------------------------------------
What versions of the OpenSSL are affected?

 Status of different versions:

 OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
 OpenSSL 1.0.1g is NOT vulnerable
 OpenSSL 1.0.0 branch is NOT vulnerable
 OpenSSL 0.9.8 branch is NOT vulnerable
 Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
----------------------------------------------------------------

If I read my version correctly I have 0.7
This is not 1.0.1 through 1.0.1f
Thus mine is not affected ?? Yet Jim says it is.

Am I reading something incorrectly. I dont know much about all this version info.
thanks.


[toc] | [prev] | [next] | [standalone]


#487

FromKeith Keller <kkeller-usenet@wombat.san-francisco.ca.us>
Date2014-04-14 10:29 -0700
Message-ID<dhit1bxfn.ln2@goaway.wombat.san-francisco.ca.us>
In reply to#484
On 2014-04-14, Steve Wolf <stevwolf58@gmail.com> wrote:
> If I read my version correctly I have 0.7

If you posted correctly you have some version of 0.9.7.

> This is not 1.0.1 through 1.0.1f
> Thus mine is not affected ?? Yet Jim says it is.

Jim is incorrect.

If you are running a network service, you can test it using this URL
(which has a good reputation, though may still be collating vulnerable
services for later attack):

https://filippo.io/Heartbleed/

Or you can download source code and test your services yourself:

https://github.com/FiloSottile/Heartbleed

I don't currently know a way of testing libraries client-side.

--keith

-- 
kkeller-usenet@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information

[toc] | [prev] | [next] | [standalone]


#488

Fromcolinmarr0@gmail.com
Date2014-04-14 10:48 -0700
Message-ID<fb0f7494-d5fb-45ea-9c2b-17723aa82dd7@googlegroups.com>
In reply to#487
Thanks. 
It looks like Im safe from that.
Its a funny thing isnt it,  If you have the old version it's safe if you have the new version its not safe.

I will take a look at the link you have provided,
Thanks.

[toc] | [prev] | [next] | [standalone]


#489

From"David W. Hodgins" <dwhodgins@nomail.afraid.org>
Date2014-04-14 14:08 -0400
Message-ID<op.xebjb4ava3w0dxdave@hodgins.homeip.net>
In reply to#488
On Mon, 14 Apr 2014 13:48:31 -0400, <colinmarr0@gmail.com> wrote:

> Its a funny thing isnt it,  If you have the old version it's safe if you have the new version its not safe.

Actually, it doesn't.
$ rpm -q --changelog openssl|grep CVE
- add upstream patch to fix CVE-2014-0160
- add patch from upstream via opensuse to fix CVE-2014-0076
- add upstream patch to fix CVE-2013-6450
- use upstream patch to fix CVE 2013-4353
- add patch from fedora to fix CVE-2013-6449
- 1.0.0j (fixes CVE-2012-2333)
- new version (fix CVE 2012-2110)

That's within the last 3 years which only goes back to 1.0.0.

I have no idea if any of those security problems also affected
the prior versions, but I would not assume the 2014-0160 is the
only one that doesn't.

Regards, Dave Hodgins

-- 
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

[toc] | [prev] | [next] | [standalone]


#491

FromWilliam Unruh <unruh@invalid.ca>
Date2014-04-14 18:47 +0000
Message-ID<lihafh$lg1$2@dont-email.me>
In reply to#488
On 2014-04-14, colinmarr0@gmail.com <colinmarr0@gmail.com> wrote:
> Thanks. 
> It looks like Im safe from that.
> Its a funny thing isnt it,  If you have the old version it's safe if you have the new version its not safe.

New additions (heartbeat) can mean new bugs. 

[toc] | [prev] | [next] | [standalone]


#497

FromJoe Beanfish <joebeanfish@nospam.duh>
Date2014-04-15 13:36 +0000
Message-ID<lijcki$p2u$1@dont-email.me>
In reply to#488
On Mon, 14 Apr 2014 10:48:31 -0700, colinmarr0 wrote:
>> Can anyone tell me if the following is suceptable to the heart bleed 
>> bug.
>> 
>> openssl-0.9.7a-43.18.el4
>>
> Thanks.
> It looks like Im safe from that.
> Its a funny thing isnt it,  If you have the old version it's safe if you
> have the new version its not safe.
> 
> I will take a look at the link you have provided,
> Thanks.

You're not susceptible to heartbleed, but you're most likely susceptible
to a plethora of other bugs fixed between 0.9.7a and 1.0.1. Some fixes
have been backported to redhat's flavor of 0.9.7 but not all.

[toc] | [prev] | [next] | [standalone]


#490

FromWilliam Unruh <unruh@invalid.ca>
Date2014-04-14 18:46 +0000
Message-ID<lihadn$lg1$1@dont-email.me>
In reply to#487
On 2014-04-14, Keith Keller <kkeller-usenet@wombat.san-francisco.ca.us> wrote:
> On 2014-04-14, Steve Wolf <stevwolf58@gmail.com> wrote:
>> If I read my version correctly I have 0.7
>
> If you posted correctly you have some version of 0.9.7.
>
>> This is not 1.0.1 through 1.0.1f
>> Thus mine is not affected ?? Yet Jim says it is.
>
> Jim is incorrect.
>
> If you are running a network service, you can test it using this URL
> (which has a good reputation, though may still be collating vulnerable
> services for later attack):
>
> https://filippo.io/Heartbleed/
>
> Or you can download source code and test your services yourself:
>
> https://github.com/FiloSottile/Heartbleed
>
> I don't currently know a way of testing libraries client-side.

But if your browser does not listen on 443, this will not work even if
your ssl library is bad. And if you have no browser, but have say imap
running it also will not tell you that ssl is bad. 

>
> --keith
>

[toc] | [prev] | [next] | [standalone]


#492

FromKeith Keller <kkeller-usenet@wombat.san-francisco.ca.us>
Date2014-04-14 12:28 -0700
Message-ID<pgpt1bxvg2.ln2@goaway.wombat.san-francisco.ca.us>
In reply to#490
On 2014-04-14, William Unruh <unruh@invalid.ca> wrote:
>>
>> https://filippo.io/Heartbleed/
>>
>> Or you can download source code and test your services yourself:
>>
>> https://github.com/FiloSottile/Heartbleed
>>
>> I don't currently know a way of testing libraries client-side.
>
> But if your browser does not listen on 443, this will not work even if
> your ssl library is bad.

Of course, which is exactly why I specifically wrote "I don't currently
know a way of testing libraries client-side".

> And if you have no browser, but have say imap
> running it also will not tell you that ssl is bad. 

Actually, it can test any listener.  If you point the filippo tester to
Gmail's imaps server it passes.

--keith

-- 
kkeller-usenet@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information

[toc] | [prev] | [next] | [standalone]


#493

FromWilliam Unruh <unruh@invalid.ca>
Date2014-04-14 21:18 +0000
Message-ID<lihjbc$p8l$1@dont-email.me>
In reply to#492
On 2014-04-14, Keith Keller <kkeller-usenet@wombat.san-francisco.ca.us> wrote:
> On 2014-04-14, William Unruh <unruh@invalid.ca> wrote:
>>>
>>> https://filippo.io/Heartbleed/
>>>
>>> Or you can download source code and test your services yourself:
>>>
>>> https://github.com/FiloSottile/Heartbleed
>>>
>>> I don't currently know a way of testing libraries client-side.
>>
>> But if your browser does not listen on 443, this will not work even if
>> your ssl library is bad.
>
> Of course, which is exactly why I specifically wrote "I don't currently
> know a way of testing libraries client-side".

Those are NOT client side, those are server side. Imap server, pop
server, http server are all servers. Now if your server does not listen
on 443 then you might say that it is safe anyway, except you could have
opened some other port for https
Also your server could server other ssl reliant stuff and the test will
not find them. 

>
>> And if you have no browser, but have say imap
>> running it also will not tell you that ssl is bad. 
>
> Actually, it can test any listener.  If you point the filippo tester to
> Gmail's imaps server it passes.

Yes, if you happen to know the ports. Ie, it will test gmail's imap
server on port 443. But that is not what imap listens to. You can tell
it to test the approriate port, but most people have no idea what that
is. 
So if you point that site to gmail's imap server, but use the default
port 443, that may tell you that the site is OK but that will be pretty
useless. (actually it will probably more helpfully tell you that the
server does not respond on port 443.  But then even valid servers often
do not respond to port 443 when they are busy.)




>
> --keith
>

[toc] | [prev] | [next] | [standalone]


#494

FromKeith Keller <kkeller-usenet@wombat.san-francisco.ca.us>
Date2014-04-14 14:48 -0700
Message-ID<1n1u1bx3c4.ln2@goaway.wombat.san-francisco.ca.us>
In reply to#493
On 2014-04-14, William Unruh <unruh@invalid.ca> wrote:
>
> Yes, if you happen to know the ports. Ie, it will test gmail's imap
> server on port 443. But that is not what imap listens to. You can tell
> it to test the approriate port, but most people have no idea what that
> is. 

If the OP is running his own local services (which is the context in
which the testers came up) then presumably he knows what ports they are
running on.  (And if not he probably shouldn't be running them in the
first place.)

> So if you point that site to gmail's imap server, but use the default
> port 443, that may tell you that the site is OK but that will be pretty
> useless. (actually it will probably more helpfully tell you that the
> server does not respond on port 443.  But then even valid servers often
> do not respond to port 443 when they are busy.)

The tester returns one of three results: pass, fail, or unknown.  A
server that doesn't respond in time returns unknown, not pass or
fail.  It doesn't return OK unless it's actually OK.  In theory, of
course; there could be a bug in the heartbleed bug checker.  ;-)

--keith

-- 
kkeller-usenet@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information

[toc] | [prev] | [next] | [standalone]


#495

FromJim Beard <jdbeard@patriot.net>
Date2014-04-15 01:44 +0000
Message-ID<lii2t6$qk9$1@dont-email.me>
In reply to#484
On Mon, 14 Apr 2014 08:48:55 -0700, Steve Wolf wrote:

> Thanks for the answers,
> 
> According to the article that was pointed out by Keith K, Im NOT susceptible.
> ---------------------------------------------------------
> What versions of the OpenSSL are affected?
> 
>  Status of different versions:
> 
>  OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
>  OpenSSL 1.0.1g is NOT vulnerable
>  OpenSSL 1.0.0 branch is NOT vulnerable
>  OpenSSL 0.9.8 branch is NOT vulnerable
>  Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
> ----------------------------------------------------------------
> 
> If I read my version correctly I have 0.7
> This is not 1.0.1 through 1.0.1f
> Thus mine is not affected ?? Yet Jim says it is.
> 
> Am I reading something incorrectly. I dont know much about all this version info.
> thanks.

My post assumed you had the current (1.0.1 version).  As stated, versions before 
introduction of the vulnerability (2011) are not vulnerable.

My failure to check your version to make sure it was current version,
and failure to explicitly state my assumption, clearly makes this my bad.

I stand corrected.

Apologies

jim b.

-- 
UNIX is not user-unfriendly; it merely
     expects users to be computer-friendly.

[toc] | [prev] | [next] | [standalone]


#486

FromWilliam Unruh <unruh@invalid.ca>
Date2014-04-14 17:10 +0000
Message-ID<lih4q7$1so$5@dont-email.me>
In reply to#481
On 2014-04-14, Steve Wolf <stevwolf58@gmail.com> wrote:
> Can anyone tell me if the following is suceptable to the heart bleed bug.
>
> openssl-0.9.7a-43.18.el4
>
> I dont know much about these things but they say its with version OpenSSL version 1.0.1.

From what I have read, no it is not. Heartbeat was only introduced in
1.0.1


>
> Can anyone tell me if this version of software is succepable to it.
>
> Thanks.

[toc] | [prev] | [next] | [standalone]


#496

From"Trevor Hemsley" <Trevor.Hemsley@mytrousers.ntlworld.com>
Date2014-04-15 05:38 -0500
Message-ID<gjxI70UYBlcC-pn2-TDdRE0w2ZKUm@trevor2.dsl.pipex.com>
In reply to#481
On Mon, 14 Apr 2014 14:48:01 UTC in comp.os.linux.security, Steve Wolf 
<stevwolf58@gmail.com> wrote:

> Can anyone tell me if the following is suceptable to the heart bleed bug.
> 
> openssl-0.9.7a-43.18.el4

No, you are not vulnerable to heartbeat. 

But, unless you have an extended update support agreement in place with Redhat, 
you are running a version of Enterprise Linux 4.x which has been out of support 
for more than 2 years and has received NO security updates to any of its 
packages for at least that time. Depending on how long ago before that it was 
that you last ran up2date (on RHEL) or yum update (on CentOS) you could be 
*years* behind on security patches.  The end of support for CentOS 4 was the end
of February 2012.

You should urgently look at either getting a RH EUS to keep that box in 
maintenance or migrate to a supported version of the operating system ASAP - 
Heartbleed is not the only security vulnerability around, it's just the most 
prominent at the current time.

-- 
Trevor Hemsley, Brighton, UK
Trevor dot Hemsley at ntlworld dot com

[toc] | [prev] | [standalone]


Back to top | Article view | comp.os.linux.security


csiph-web