Might wanna recompile or patch that OpenSSL, buddy (4/7/2014)

texteditor

Premium Buffalo-based Hosting

• Apr 7, 2014

• #1

http://heartbleed.com/

http://blog.cloudflare.com/staying-ahead-of-openssl-vulnerabilities

https://access.redhat.com/security/cve/CVE-2014-0160

https://www.openssl.org/news/secadv_20140407.txt

OpenSSL's TLS ~1.0.1 through 1.0.2+ has a leak in the heatbeat extension that can cause private key leakage. A patched version is out allegedly, or you can rebuild OpenSSL with the -DOPENSSL_NO_HEARTBEATS. flag

Happy patchin'

 

tchen

New Member

• Apr 7, 2014

• #2

Useful test

http://filippo.io/Heartbleed

 

HalfEatenPie

The Irrational One

Retired Staff

• Apr 7, 2014

• #3

Thanks a ton!  Pretty important information right here!

 

sv01

Slow but sure

• Apr 7, 2014

• #4

thanks, just update my Debian

 

thedediguy

New Member

Verified Provider

• Apr 7, 2014

• #5

why thank you

 

jarland

The ocean is digital

• Apr 7, 2014

• #6

Thanks for the heads up. All patched where it matters. The rest...meh hack away


Easily scripted for centos 6, for the lazy. Stolen entirely from a source Ryan linked me to and turned into a quick bash script to make it faster to push.

http://dal.jarland.me/openssl.sh


Source: http://www.ptudor.net/linux/openssl/

 

Last edited by a moderator: Apr 7, 2014

wlanboy

Content Contributer

• Apr 8, 2014

• #7

Damn - just thinking about re-issue my SSL cert.

 

peterw

New Member

• Apr 8, 2014

• #8

tchen said:

Useful test

http://filippo.io/Heartbleed

Click to expand...

All of my domains are vulnerable. Shit.

 

George_Fusioned

Active Member

Verified Provider

• Apr 8, 2014

• #9

After updating the OpenSSL package, check which services are using the old OpenSSL libraries with 'lsof -n | grep ssl | grep DEL' - then restart as needed.

 

eva2000

Active Member

• Apr 8, 2014

• #10

CentOS updated openssl is available now according to https://rhn.redhat.com/errata/RHSA-2014-0376.html

Code:

yum list openssl openssl-devel -q
Installed Packages
openssl.x86_64                                                             1.0.1e-16.el6_5.4                                                       @updates
openssl-devel.x86_64                                                       1.0.1e-16.el6_5.4                                                       @updates
Available Packages
openssl.x86_64                                                             1.0.1e-16.el6_5.7                                                       updates 
openssl-devel.x86_64                                                       1.0.1e-16.el6_5.7                                                       updates

 

Nikki

New Member

• Apr 8, 2014

• #11

Debian Wheezy also has an updated openssl.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743883

 

Last edited by a moderator: Apr 8, 2014

P

perennate

New Member

Verified Provider

• Apr 8, 2014

• #12

vpsboard still vulnerable?

 

howardsl2

New Member

• Apr 8, 2014

• #13

Relevant changelog for Ubuntu openssl package:

https://launchpad.net/ubuntu/+source/openssl/+changelog

Run "apt-get update; apt-get upgrade" to see other software that have been updated in the Ubuntu repos. Before doing that, make sure you have "deb http://security.ubuntu.com/ubuntu ... " in your "/etc/apt/sources.list".

 

Last edited by a moderator: Apr 8, 2014

Ishaq

New Member

Verified Provider

• Apr 8, 2014

• #14

By the way, OpenSSH is NOT vulnerable to this. Because it does not use the TLS protocol. So you don't need to worry about changing keypairs, etc.

 

Nikki

New Member

• Apr 8, 2014

• #15

Here's a better script to test your servers, found it earlier after searching around. When it comes to things like this, even if a site seems very trustworthy you should never rely on them to test vulnerabilities.

https://gist.github.com/takeshixx/10107280

 

DomainBop

Dormant VPSB Pathogen

• Apr 8, 2014

• #16

George_Fusioned said:

After updating the OpenSSL package, check which services are using the old OpenSSL libraries with 'lsof -n | grep ssl | grep DEL' - then restart as needed.

Click to expand...

I think that bears repeating.   Also, if you have an OpenVZ VPS, depending on the kernel version, that command may not give any output and so you may have to run just "lsof -n | grep ssl" and restart anything that uses SSL to be on the safe side (or you could just reboot...)

On another note, I just discovered that lsof wasn't installed on my Vultr Tokyo VPS (fixed by apt-get lsof)

 

Last edited by a moderator: Apr 8, 2014

Magiobiwan

Insert Witty Statement Here

Verified Provider

• Apr 8, 2014

• #17

FYI, CentOS 6.5 will still have the version "e" version string, but it WAS Backported. 

 

jarland

The ocean is digital

• Apr 8, 2014

• #18

Got the update today. Apparently the guide+script I linked before doesn't fix it, I just got false negatives from that test site and I'm not ashamed to say I couldn't test this exploit if my life depended on it. Yum update it is!

 

MannDude

Just a dude

vpsBoard Founder

Moderator

• Apr 8, 2014

• #19

perennate said:

vpsboard still vulnerable?

Click to expand...

Still waiting to get my cert reissued. Already ran the updates and still getting positives, though now the site is claiming it's issuing false positives due to load...

 

DomainBop

Dormant VPSB Pathogen

• Apr 8, 2014

• #20

Nikki said:

Debian Wheezy also has an updated openssl.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743883

Click to expand...

Debian Wheezy has issued 2 fixes in the past 24 hours so if you updated it last night you need to do it again.

1.0.1e-2+deb7u5 <--last night's upgrade

1.0.1e-2+deb7u6 <--today's upgrade (today's upgrade will restart some services but not all so you'll still need to check with lsof or reboot)