Lots of tools available. I'm with ferg, surprised more haven't been mentioned here.
Tools to check for the bug: • on your own box: https://github.com/musalbas/heartbleed-masstest/blob/master/ssltest.py • online: http://filippo.io/Heartbleed/ (use carefully as they might log what you check) • online: http://possible.lv/tools/hb/ • offline: https://github.com/tdussa/heartbleed-masstest <--- Tobias Dussa, also Takes a CSV file with host names for input and ports as parameter • offline: http://s3.jspenguin.org/ssltest.py • offline: https://github.com/titanous/heartbleeder List of vulnerable Linux distributions: <http://www.circl.lu/pub/tr-21/>. Anyone have any more? -- TTFN, patrick On Apr 08, 2014, at 12:11 , Jonathan Lassoff <j...@thejof.com> wrote: > For testing, I've had good luck with > https://github.com/titanous/heartbleeder and > https://gist.github.com/takeshixx/10107280 > > Both are mostly platform-independent, so they should be able to work even > if you don't have a modern OpenSSL to test with. > > Cheers and good luck (you're going to need it), > jof > > On Tue, Apr 8, 2014 at 5:03 PM, Michael Thomas <m...@mtcc.com> wrote: > >> Just as a data point, I checked the servers I run and it's a good thing I >> didn't reflexively update them first. >> On Centos 6.0, the default openssl is 1.0.0 which supposedly doesn't have >> the vulnerability, but the >> ones queued up for update do. I assume that redhat will get the patched >> version soon but be careful! >> >> Mike >> >> >> On 04/07/2014 10:06 PM, Paul Ferguson wrote: >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA256 >>> >>> I'm really surprised no one has mentioned this here yet... >>> >>> FYI, >>> >>> - - ferg >>> >>> >>> >>> Begin forwarded message: >>> >>> From: Rich Kulawiec <r...@gsp.org> Subject: Serious bug in >>>> ubiquitous OpenSSL library: "Heartbleed" Date: April 7, 2014 at >>>> 9:27:40 PM EDT >>>> >>>> This reaches across many versions of Linux and BSD and, I'd >>>> presume, into some versions of operating systems based on them. >>>> OpenSSL is used in web servers, mail servers, VPNs, and many other >>>> places. >>>> >>>> Writeup: Heartbleed: Serious OpenSSL zero day vulnerability >>>> revealed >>>> http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability- >>>> revealed-7000028166/ >>>> >>>> Technical details: Heartbleed Bug http://heartbleed.com/ >>>> >>>> OpenSSL versions affected (from link just above): OpenSSL 1.0.1 >>>> through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT >>>> vulnerable (released today, April 7, 2014) OpenSSL 1.0.0 branch is >>>> NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable >>>> >>>> >>> - -- Paul Ferguson >>> VP Threat Intelligence, IID >>> PGP Public Key ID: 0x54DC85B2 >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG v2.0.22 (MingW32) >>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ >>> >>> iF4EAREIAAYFAlNDg9gACgkQKJasdVTchbIrAAD9HzKaElH1Tk0oIomAOoSOvfJf >>> 3Dvt4QB54os4/yewQQ8A/0dhFZ/YuEdA81dkNfR9KIf1ZF72CyslSPxPvkDcTz5e >>> =aAzE >>> -----END PGP SIGNATURE----- >>> >> >> >>
signature.asc
Description: Message signed with OpenPGP using GPGMail