On the other hand since this is open source someone is bound to find the hole. What about proprietary systems? On Apr 10, 2014 6:37 PM, "fooler mail" <[email protected]> wrote:
> pluggers, > > another action needed from you... if those sites listed in the link > below that you use their service, then you need to change your > password... > > > http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/?utm_cid=mash-com-fb-main-link > > its time to realize why opensource is not secured as what others > claims to be... but of course... there are still plenty of > undiscovered security holes waiting to be discovered by security > engineers... when this heartbeat outbreak last Monday... I spoke to my > colleague yesterday as this is one of the projects of malaking brother > who paid opensource developer working with a specific application to > insert backdoor codes... ( I have to use other words para hindi makita > ni malaking brother scanner)... to my surprise.. he mentioned to me > that he worked at noviembre sierra alfa previously and he can > confirmed on that but he wont go into the details... I also said to > him that I saw one backdoor in Linux kernel until now it is still in > there... you cant see by a normal cli command but it is there sitting > innocently... > > I made a statement in ph-cyberview a year or so ago that we are not > safe anymore... much worse if you are inside china.... > > > fooler. > > On Wed, Apr 9, 2014 at 3:36 PM, fooler mail <[email protected]> wrote: > > hi drexx, > > > > google security guy is the one who found the bug and google fixed > > their sites before sending the info to the community... > > > > below is the site to test the bug vulnerability.. > > > > http://packetstormsecurity.com/files/author/11160/ > > > > fooler. > > > > On Wed, Apr 9, 2014 at 9:06 AM, Drexx Laggui [personal] > > <[email protected]> wrote: > >> 09Apr2014 (UTC +8) > >> > >> Here's a quick test on your localhost, & you don't even need to be > root... > >> > >> > >> drexx@MACHINE:~$ echo -e "quit\n" | openssl s_client -connect > >> google.com:443 -tlsextdebug 2>&1 | grep 'TLS server extension > >> "heartbeat" (id=15), len=1' > >> > >> TLS server extension "heartbeat" (id=15), len=1 > >> > >> drexx@MACHINE:~$ date; > >> Wed Apr 9 21:02:58 PHT 2014 > >> > >> drexx@MACHINE:~$ uname -a > >> Linux MACHINE 3.11.0-19-generic #33~precise1-Ubuntu SMP Wed Mar 12 > >> 21:16:27 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux > >> > >> > >> Drexx Laggui -- CISA, CISSP, CFE Associate, ISO27001 LA, CCSI, CSA > >> http://www.laggui.com ( Manila & California ) > >> Computer forensics; Penetration testing; QMS & ISMS developers; > K-Transfer > >> PGP fingerprint = 0117 15C5 F3B1 6564 59EA 6013 1308 9A66 41A2 3F9B > >> > >> > >> On Wed, Apr 9, 2014 at 10:42 AM, Rudel Saldivar < > [email protected]> wrote: > >>> > >>> And I may add this link for the exact patch version since different > package > >>> revision exist for different versions of Ubuntu - > >>> http://www.ubuntu.com/usn/usn-2165-1/ > >>> > >>> Ubuntu 13.10: > >>> libssl1.0.0 1.0.1e-3ubuntu1.2 > >>> Ubuntu 12.10: > >>> libssl1.0.0 1.0.1c-3ubuntu2.7 > >>> Ubuntu 12.04 LTS: > >>> libssl1.0.0 1.0.1-4ubuntu5.12 > >>> > >>> As for CentOS 6, they haven't release a patch version but the latest > >>> available in the update repo have the heartbeat feature disable, > interim > >>> workaround so upgrade when you can: > >>> http://www.spinics.net/lists/centos-announce/msg04910.html > >>> http://www.spinics.net/lists/centos-announce/msg04910.html > >>> > >>> > >>> ----- > >>> > >>> -[ OpenSource, Open Ideas ]- > >>> > >>> > >>> On Wed, Apr 9, 2014 at 8:42 AM, fooler mail <[email protected]> > wrote: > >>>> > >>>> pluggers, > >>>> > >>>> action needed from you if you are not aware with this serious security > >>>> hole... > >>>> > >>>> http://www.openssl.org/news/secadv_20140407.txt > >>>> > >>>> update/patch your openssl package... create a new private key using > >>>> updated/patched openssl... create a new CSR based on that new private > >>>> key and update your https site(s) with a new signed certificate (this > >>>> includes self-signed certificate as well) > >> _________________________________________________ > >> Philippine Linux Users' Group (PLUG) Mailing List > >> http://lists.linux.org.ph/mailman/listinfo/plug > >> Searchable Archives: http://archives.free.net.ph > _________________________________________________ > Philippine Linux Users' Group (PLUG) Mailing List > http://lists.linux.org.ph/mailman/listinfo/plug > Searchable Archives: http://archives.free.net.ph >
_________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List http://lists.linux.org.ph/mailman/listinfo/plug Searchable Archives: http://archives.free.net.ph
