Hi, I was wondering why most of my secure services didn't show up as vulnerable...
----- It do not seems to affect those services that require a valid user certificate. aka, in apache 2.2 SSLVerifyClient Require SSLVerifyDepth 1 (up to 10) I couldn't find a way to use the HB before satisfying the verify. I might be wrong. ----- Alain Hebert aheb...@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 On 04/08/14 08:18, David Hubbard wrote: > Don't forget to restart every daemon that was using the old library as > well, or just reboot. > > -----Original Message----- > From: Peter Kristolaitis [mailto:alte...@alter3d.ca] > Sent: Tuesday, April 08, 2014 1:19 AM > To: nanog@nanog.org > Subject: Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed" > > Not just run the updates -- all private keys should be changed too, on > the assumption that they've been compromised already. THAT is going to > be the crappy part of this. > > - Pete > > > On 4/8/2014 1:13 AM, David Hubbard wrote: >> RHEL and CentOS both have patches out as of a couple hours ago, so run > >> those updates! CentOS' mirrors do not all have it yet, so if you are >> updating, make sure you get the >> 1.0.1e-16.el6_5.7 version and not older. >> >> David >> >> -----Original Message----- >> From: Paul Ferguson [mailto:fergdawgs...@mykolab.com] >> Sent: Tuesday, April 08, 2014 1:07 AM >> To: NANOG >> Subject: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed" >> > I'm really surprised no one has mentioned this here yet... > > FYI, > > - ferg > > > > Begin forwarded message: > > >>> From: Rich Kulawiec <r...@gsp.org> Subject: Serious bug in ubiquitous > >>> OpenSSL library: "Heartbleed" Date: April 7, 2014 at 9:27:40 PM EDT > >>> > >>> This reaches across many versions of Linux and BSD and, I'd presume, > >>> into some versions of operating systems based on them. > >>> OpenSSL is used in web servers, mail servers, VPNs, and many other > >>> places. > >>> > >>> Writeup: Heartbleed: Serious OpenSSL zero day vulnerability revealed > >>> http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerabilit > >>> y > >>> -revealed-7000028166/ > >>> > >>> Technical details: Heartbleed Bug http://heartbleed.com/ > >>> > >>> OpenSSL versions affected (from link just above): OpenSSL 1.0.1 > >>> through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT > >>> vulnerable (released today, April 7, 2014) OpenSSL 1.0.0 branch is > >>> NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable > >>> > >> >> >> >> > > > > > > >