hi drexx, google security guy is the one who found the bug and google fixed their sites before sending the info to the community...
below is the site to test the bug vulnerability.. http://packetstormsecurity.com/files/author/11160/ fooler. On Wed, Apr 9, 2014 at 9:06 AM, Drexx Laggui [personal] <dre...@gmail.com> wrote: > 09Apr2014 (UTC +8) > > Here's a quick test on your localhost, & you don't even need to be root... > > > drexx@MACHINE:~$ echo -e "quit\n" | openssl s_client -connect > google.com:443 -tlsextdebug 2>&1 | grep 'TLS server extension > "heartbeat" (id=15), len=1' > > TLS server extension "heartbeat" (id=15), len=1 > > drexx@MACHINE:~$ date; > Wed Apr 9 21:02:58 PHT 2014 > > drexx@MACHINE:~$ uname -a > Linux MACHINE 3.11.0-19-generic #33~precise1-Ubuntu SMP Wed Mar 12 > 21:16:27 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux > > > Drexx Laggui -- CISA, CISSP, CFE Associate, ISO27001 LA, CCSI, CSA > http://www.laggui.com ( Manila & California ) > Computer forensics; Penetration testing; QMS & ISMS developers; K-Transfer > PGP fingerprint = 0117 15C5 F3B1 6564 59EA 6013 1308 9A66 41A2 3F9B > > > On Wed, Apr 9, 2014 at 10:42 AM, Rudel Saldivar <rudelsaldi...@gmail.com> > wrote: >> >> And I may add this link for the exact patch version since different package >> revision exist for different versions of Ubuntu - >> http://www.ubuntu.com/usn/usn-2165-1/ >> >> Ubuntu 13.10: >> libssl1.0.0 1.0.1e-3ubuntu1.2 >> Ubuntu 12.10: >> libssl1.0.0 1.0.1c-3ubuntu2.7 >> Ubuntu 12.04 LTS: >> libssl1.0.0 1.0.1-4ubuntu5.12 >> >> As for CentOS 6, they haven't release a patch version but the latest >> available in the update repo have the heartbeat feature disable, interim >> workaround so upgrade when you can: >> http://www.spinics.net/lists/centos-announce/msg04910.html >> http://www.spinics.net/lists/centos-announce/msg04910.html >> >> >> ----- >> >> -[ OpenSource, Open Ideas ]- >> >> >> On Wed, Apr 9, 2014 at 8:42 AM, fooler mail <fooler.m...@gmail.com> wrote: >>> >>> pluggers, >>> >>> action needed from you if you are not aware with this serious security >>> hole... >>> >>> http://www.openssl.org/news/secadv_20140407.txt >>> >>> update/patch your openssl package... create a new private key using >>> updated/patched openssl... create a new CSR based on that new private >>> key and update your https site(s) with a new signed certificate (this >>> includes self-signed certificate as well) > _________________________________________________ > Philippine Linux Users' Group (PLUG) Mailing List > http://lists.linux.org.ph/mailman/listinfo/plug > Searchable Archives: http://archives.free.net.ph _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List http://lists.linux.org.ph/mailman/listinfo/plug Searchable Archives: http://archives.free.net.ph
