On 11.04.2014, at 17:26, daniel <dan...@noflag.org.uk> wrote: > > We are very concerned about the 'Heartbeat' security problem which has > been discovered with OpenSSL. Thanks to our out-of-date old-stable > version of debian, we are using: > > openssl 0.9.8o-4squeeze14 > > This page also claims debian 6 (which we use) is unaffected: > https://www.digitalocean.com/community/articles/how-to-protect-your-server-against-the-heartbleed-openssl-vulnerability > > as does the text of the DSA below. > > However, both of the heartbeat vulnerability checkers we have used have > told us that they were able to successfully exploit this vulnerability > against our site: > > http://filippo.io/Heartbleed/#noflag.org.uk > https://www.ssllabs.com/ssltest/analyze.html?d=noflag.org.uk > > What could be going on here?
you are not using the squeeze-Apache but a newer one compiled with a newer openssl. If you do a dpkg -l openssl and don’t get a higher version than 0.9.8 you are probably running one of these “all in one” website packages that provides it’s own apache and applications. Dirk -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/fefc911f-53ca-48b6-8c75-201bee204...@morticah.net
