Re: [SECURITY] [DSA 2896-1] openssl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear all, We are very concerned about the 'Heartbeat' security problem which has been discovered with OpenSSL. Thanks to our out-of-date old-stable version of debian, we are using: openssl 0.9.8o-4squeeze14 This page also claims debian 6 (which we use) is unaffected: https://www.digitalocean.com/community/articles/how-to-protect-your-server-against-the-heartbleed-openssl-vulnerability as does the text of the DSA below. However, both of the heartbeat vulnerability checkers we have used have told us that they were able to successfully exploit this vulnerability against our site: http://filippo.io/Heartbleed/#noflag.org.uk https://www.ssllabs.com/ssltest/analyze.html?d=noflag.org.uk What could be going on here? Thanks in advance for all your help, Daniel Salvatore Bonaccorso wrote: - Debian Security Advisory DSA-2896-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso April 07, 2014 http://www.debian.org/security/faq - Package: openssl CVE ID : CVE-2014-0160 Debian Bug : 743883 A vulnerability has been discovered in OpenSSL's support for the TLS/DTLS Hearbeat extension. Up to 64KB of memory from either client or server can be recovered by an attacker This vulnerability might allow an attacker to compromise the private key and other sensitive data in memory. All users are urged to upgrade their openssl packages (especially libssl1.0.0) and restart applications as soon as possible. According to the currently available information, private keys should be considered as compromised and regenerated as soon as possible. More details will be communicated at a later time. The oldstable distribution (squeeze) is not affected by this vulnerability. For the stable distribution (wheezy), this problem has been fixed in version 1.0.1e-2+deb7u5. For the testing distribution (jessie), this problem has been fixed in version 1.0.1g-1. For the unstable distribution (sid), this problem has been fixed in version 1.0.1g-1. We recommend that you upgrade your openssl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCgAGBQJTSAmqAAoJEJhsX8U2K7jUaD0H/2FUZIr4qKST1NCAKrgjP53V jQknF8erQrGhUrP1hKE2FckuKJljeUAv6rUEVJCiuEPWmCgL08Eoy1SZuIG2S72q vRbfyYaIz2GKVoGdbkW0GMe963mLUhJ1H5PdcPrsApUZ9AcwQPYKGqLx4/TTrOsB nbr19ELLQbZCfE8SsUuMDpy/bHeF3c9gb5iUhcnpow6KIjzYGKaJfhiV6HxVlkDX krdkegdOUn2wKu/deLoARpMqyz6a7son8YcbQ71/XIogtGnxY0L4T9Nabj4NChB/ ggIu+7x62teyb56vToySrXKF5HaqDE2Bna7cJSlD0ia64ME1yG/4joL93Jt10IY= =kDpQ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/534809aa.2000...@noflag.org.uk
Aw: Re: [SECURITY] [DSA 2896-1] openssl security update
Your server talks spdy. Have you upgraded mod_spdy to 0.9.4.2? (for mod_spy you need an Apache HTTP Server 2.4.X, in squeeze there is only 2.2.16 ...) Gesendet: Freitag, 11. April 2014 um 17:26 Uhr Von: daniel dan...@noflag.org.uk An: debian-security@lists.debian.org Cc: - Noflag ad...@lists.noflag.org.uk Betreff: Re: [SECURITY] [DSA 2896-1] openssl security update -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear all, We are very concerned about the 'Heartbeat' security problem which has been discovered with OpenSSL. Thanks to our out-of-date old-stable version of debian, we are using: openssl 0.9.8o-4squeeze14 This page also claims debian 6 (which we use) is unaffected: https://www.digitalocean.com/community/articles/how-to-protect-your-server-against-the-heartbleed-openssl-vulnerability as does the text of the DSA below. However, both of the heartbeat vulnerability checkers we have used have told us that they were able to successfully exploit this vulnerability against our site: http://filippo.io/Heartbleed/#noflag.org.uk https://www.ssllabs.com/ssltest/analyze.html?d=noflag.org.uk What could be going on here? Thanks in advance for all your help, Daniel Salvatore Bonaccorso wrote: - Debian Security Advisory DSA-2896-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso April 07, 2014 http://www.debian.org/security/faq - Package: openssl CVE ID : CVE-2014-0160 Debian Bug : 743883 A vulnerability has been discovered in OpenSSL's support for the TLS/DTLS Hearbeat extension. Up to 64KB of memory from either client or server can be recovered by an attacker This vulnerability might allow an attacker to compromise the private key and other sensitive data in memory. All users are urged to upgrade their openssl packages (especially libssl1.0.0) and restart applications as soon as possible. According to the currently available information, private keys should be considered as compromised and regenerated as soon as possible. More details will be communicated at a later time. The oldstable distribution (squeeze) is not affected by this vulnerability. For the stable distribution (wheezy), this problem has been fixed in version 1.0.1e-2+deb7u5. For the testing distribution (jessie), this problem has been fixed in version 1.0.1g-1. For the unstable distribution (sid), this problem has been fixed in version 1.0.1g-1. We recommend that you upgrade your openssl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCgAGBQJTSAmqAAoJEJhsX8U2K7jUaD0H/2FUZIr4qKST1NCAKrgjP53V jQknF8erQrGhUrP1hKE2FckuKJljeUAv6rUEVJCiuEPWmCgL08Eoy1SZuIG2S72q vRbfyYaIz2GKVoGdbkW0GMe963mLUhJ1H5PdcPrsApUZ9AcwQPYKGqLx4/TTrOsB nbr19ELLQbZCfE8SsUuMDpy/bHeF3c9gb5iUhcnpow6KIjzYGKaJfhiV6HxVlkDX krdkegdOUn2wKu/deLoARpMqyz6a7son8YcbQ71/XIogtGnxY0L4T9Nabj4NChB/ ggIu+7x62teyb56vToySrXKF5HaqDE2Bna7cJSlD0ia64ME1yG/4joL93Jt10IY= =kDpQ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/534809aa.2000...@noflag.org.uk -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/trinity-f3090dbc-834c-45ec-8cca-501d4781f536-1397231562657@3capp-gmx-bs20
Re: [SECURITY] [DSA 2896-1] openssl security update
On 11.04.2014, at 17:26, daniel dan...@noflag.org.uk wrote: We are very concerned about the 'Heartbeat' security problem which has been discovered with OpenSSL. Thanks to our out-of-date old-stable version of debian, we are using: openssl 0.9.8o-4squeeze14 This page also claims debian 6 (which we use) is unaffected: https://www.digitalocean.com/community/articles/how-to-protect-your-server-against-the-heartbleed-openssl-vulnerability as does the text of the DSA below. However, both of the heartbeat vulnerability checkers we have used have told us that they were able to successfully exploit this vulnerability against our site: http://filippo.io/Heartbleed/#noflag.org.uk https://www.ssllabs.com/ssltest/analyze.html?d=noflag.org.uk What could be going on here? you are not using the squeeze-Apache but a newer one compiled with a newer openssl. If you do a dpkg -l openssl and don’t get a higher version than 0.9.8 you are probably running one of these “all in one” website packages that provides it’s own apache and applications. Dirk -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/fefc911f-53ca-48b6-8c75-201bee204...@morticah.net
Re: Aw: Re: [SECURITY] [DSA 2896-1] openssl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Thank you all for your help. Mod_spdy has a statically-linked vulnerable version of OpenSSL. After the standard update we are no longer vulnerable. Daniel Estelmann, Christian wrote: Your server talks spdy. Have you upgraded mod_spdy to 0.9.4.2? (for mod_spy you need an Apache HTTP Server 2.4.X, in squeeze there is only 2.2.16 ...) Gesendet: Freitag, 11. April 2014 um 17:26 Uhr Von: daniel dan...@noflag.org.uk An: debian-security@lists.debian.org Cc: - Noflag ad...@lists.noflag.org.uk Betreff: Re: [SECURITY] [DSA 2896-1] openssl security update Dear all, We are very concerned about the 'Heartbeat' security problem which has been discovered with OpenSSL. Thanks to our out-of-date old-stable version of debian, we are using: openssl 0.9.8o-4squeeze14 This page also claims debian 6 (which we use) is unaffected: https://www.digitalocean.com/community/articles/how-to-protect-your-server-against-the-heartbleed-openssl-vulnerability as does the text of the DSA below. However, both of the heartbeat vulnerability checkers we have used have told us that they were able to successfully exploit this vulnerability against our site: http://filippo.io/Heartbleed/#noflag.org.uk https://www.ssllabs.com/ssltest/analyze.html?d=noflag.org.uk What could be going on here? Thanks in advance for all your help, Daniel Salvatore Bonaccorso wrote: - Debian Security Advisory DSA-2896-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso April 07, 2014 http://www.debian.org/security/faq - Package: openssl CVE ID : CVE-2014-0160 Debian Bug : 743883 A vulnerability has been discovered in OpenSSL's support for the TLS/DTLS Hearbeat extension. Up to 64KB of memory from either client or server can be recovered by an attacker This vulnerability might allow an attacker to compromise the private key and other sensitive data in memory. All users are urged to upgrade their openssl packages (especially libssl1.0.0) and restart applications as soon as possible. According to the currently available information, private keys should be considered as compromised and regenerated as soon as possible. More details will be communicated at a later time. The oldstable distribution (squeeze) is not affected by this vulnerability. For the stable distribution (wheezy), this problem has been fixed in version 1.0.1e-2+deb7u5. For the testing distribution (jessie), this problem has been fixed in version 1.0.1g-1. For the unstable distribution (sid), this problem has been fixed in version 1.0.1g-1. We recommend that you upgrade your openssl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/534809aa.2000...@noflag.org.uk -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCgAGBQJTSJ6JAAoJEJhsX8U2K7jUalEH/1z4Se3I715yhKe0CKmA67qU ngPQO8OxRmq9NxdWz+S5+htXEoX8MIF0PF6MIqNmN9toMhBEgGObTuG0UlxRgVa7 6T/6JaWm45Ivl3m8t8enwRddunjFWKTU4/M91eOOsdTmGt8Y7CHuYtN3NoPUMVHf vUQeyMuWIawS+HiJl0eXTVb3522jVavnkh/WKOTcHGUeTSBBt95DErG2cldCuIXY Vbru6nsAgNdEwL7dOxpqtsyXNWfCoBJCjsDAZD2nNs1z12Zv0Dx/GHvXf9z2HnH2 3+MIXS2nzgd1+F+tzzNxXlVergp3Q9zLlELckmJwTpvKDrF/hc0eHBYosn2m05k= =N86v -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53489e89.2070...@noflag.org.uk
Re: Aw: Re: [SECURITY] [DSA 2896-1] openssl security update
On Sat, Apr 12, 2014 at 10:01 AM, daniel wrote: Mod_spdy has a statically-linked vulnerable version of OpenSSL That sounds like a pretty bad bug in your copy of mod_spdy, please ask the vendor of your copy of mod_spdy to fix this by depending on the OpenSSL shared library instead of statically linking with OpenSSL. -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAKTje6Ej=0q2gn2lk1o3fjgre_xjac0oprizead1e+rhywe...@mail.gmail.com