Might wanna recompile or patch that OpenSSL, buddy (4/7/2014)

[wlanboy]

Debian Wheezy has issued 2 fixes in the past 24 hours so if you updated it last night you need to do it again.

And don't forget to:

• Recompile everything that depends on openssl
• Restart all services depending on openssl

 

[howardsl2]

Debian Wheezy has issued 2 fixes in the past 24 hours so if you updated it last night you need to do it again.

1.0.1e-2+deb7u5 <--last night's upgrade

1.0.1e-2+deb7u6 <--today's upgrade (today's upgrade will restart some services but not all so you'll still need to check with lsof or reboot)

Related new announcement - http://seclists.org/bugtraq/2014/Apr/34

Quoted from link: "In case of doubt a full system restart is recommended."

 

[Nick_A]

Please fix VPSB D:

 

[willie]

There is also insecurity on the client side, so you have to upgrade that too, not just the server, if you're using openssl clients for something.

 

[adly]

Looking like it's still waiting on the certificate to be reissued. Any idea on when that will be done?

 

[MannDude]

Looking like it's still waiting on the certificate to be reissued. Any idea on when that will be done?

It's been reissued but I am at work and little I can do for this right now. I shouldn't even be on vpsB right now.

I get off in 5 hours. I got the SSL reissued so now just need to update everything.

 

[lbft]

https://www.mattslifebytes.com/?p=533

https://www.michael-p-davis.com/using-heartbleed-for-hijacking-user-sessions/

It's possible to hijack sessions on vulnerable servers - for example, someone provided proof that they were able to access my VPSBoard account that way.

Perhaps it's a good idea to avoid logging in to sensitive systems until their servers are fixed.

 

[MannDude]

Fixed.

 

[Francisco]

Looks to be good now

Over here I'm seeing that it's EOF'ing the heartbeat crap and the certificate was changed to one

issued just today.

Good work everyone,

Francisco

 

[eva2000]

Indeed good work...

anyone subscribing to http://www.hostingseclist.com ? seems useful

 

[jarland]

Indeed good work...


anyone subscribing to http://www.hostingseclist.com ? seems useful

Been quite useful I'll admit. Every time something gets stacked on the to-do list, keeping up with these things proves more difficult without assistance.

 

[eva2000]

subscribed now myself

another cool tool to check for this on sites you visit that use https/SSL https://chrome.google.com/webstore/detail/chromebleed/eeoekjnjgppnaegdjbcafdggilajhpic

 

[willie]

The new certificate is misconfigured so it throws error dialogs when you visit the site.  It's supposed to be chained with an intermediate certificate that probably came with it in the email from the CA, but otherwise should be available on the CA website someplace.

Edit: it's fixed now.  Some kind of CDN thing?  It definitely didn't send the intermediate cert when I check in a few minutes ago, but it sends it now.

 

[MannDude]

The new certificate is misconfigured so it throws error dialogs when you visit the site.  It's supposed to be chained with an intermediate certificate that probably came with it in the email from the CA, but otherwise should be available on the CA website someplace.

Edit: it's fixed now.  Some kind of CDN thing?  It definitely didn't send the intermediate cert when I check in a few minutes ago, but it sends it now.

Fixed. Globalsign got a new middle cert.

Was working in Chrome/Chromium without issue. Seems like FF and derivatives were throwing up warnings. Should be good now. 

 

[wlanboy]

Hopefully all clients (Browser, Email, OpenVPN, IRC, well all using SSL) will have that patch soon too.

 

[adly]

Nice, looks like forward secrecy is supported with some browsers too. Not sure it that was enabled before. Just checking; the old certificate was revoked, right?

 

[mojeda]

Cloudflare is claiming that on nginx servers it's incredibly unlikely that someone is able to get your private SSL keys.

They also said while it's unlikely they would be able to with apache2 as well, it seems apache2 might be more vulnerable to it than nginx.

http://blog.cloudflare.com/answering-the-critical-question-can-you-get-private-ssl-keys-using-heartbleed

They've setup a server with ssl that is challenging anyone to grab the private key: https://www.cloudflarechallenge.com/heartbleed.

 

[wlanboy]

Good comic about this:

http://xkcd.com/1354/

 

[MCH-Phil]

Private keys were stolen.  Source:  https://www.cloudflarechallenge.com/heartbleed

 

[eva2000]

http://thread.gmane.org/gmane.comp.encryption.openssl.user/51243

Date: 2014-04-11 17:22:21 GMT (1 day, 10 hours and 26 minutes ago)


Akamai Technologies is pleased to offer the following patch to OpenSSL. It adds a "secure arena" that is used to store RSA private keys.  This arena is mmap'd, with guard pages before and after so pointer over- and under-runs won't wander into it. It's also locked into memory so it doesn't appear on disk, and when possible it's also kept out of core files.  This patch is a variant of what we've been using to help protect customer keys for a decade.

This should really be considered more of a proof of concept than something that you want to put directly into production. It slides into the ASN1 code rather than adding a new API (OPENSSL_secure_allocate et al), the overall code isn't portable, and so on. If there is community interest, we would be happy to help work on addressing those issues.  Let me restate that: *do not just take this patch and put it into production without careful review.*

OpenSSL is important to us, and this is the first of what we hope will be several significant contributions in the near future.

Thanks.

-- 

Principal Security Engineer

Akamai Technology

Cambridge, MA