-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Thank you all for your help. Mod_spdy has a statically-linked vulnerable
version of OpenSSL. After the standard update we are no longer vulnerable.
Daniel
Estelmann, Christian wrote:
> Your server talks spdy. Have you upgraded mod_spdy to 0.9.4.2?
>
> (for mod_spy you need an Apache HTTP Server 2.4.X, in squeeze there
> is only 2.2.16 ...)
>
>> Gesendet: Freitag, 11. April 2014 um 17:26 Uhr Von: daniel
>> An: debian-security@lists.debian.org Cc: "-
>> Noflag" Betreff: Re: [SECURITY] [DSA
>> 2896-1] openssl security update
>>
> Dear all,
>
> We are very concerned about the 'Heartbeat' security problem which
> has been discovered with OpenSSL. Thanks to our out-of-date
> old-stable version of debian, we are using:
>
> openssl 0.9.8o-4squeeze14
>
> This page also claims debian 6 (which we use) is unaffected:
> https://www.digitalocean.com/community/articles/how-to-protect-your-server-against-the-heartbleed-openssl-vulnerability
>
> as does the text of the DSA below.
>
> However, both of the heartbeat vulnerability checkers we have used
> have told us that they were able to successfully exploit this
> vulnerability against our site:
>
> http://filippo.io/Heartbleed/#noflag.org.uk
> https://www.ssllabs.com/ssltest/analyze.html?d=noflag.org.uk
>
> What could be going on here?
>
> Thanks in advance for all your help,
>
> Daniel
>
> Salvatore Bonaccorso wrote:
-
>
Debian Security Advisory DSA-2896-1 secur...@debian.org
http://www.debian.org/security/ Salvatore
Bonaccorso April 07, 2014 http://www.debian.org/security/faq
-
Package: openssl CVE ID : CVE-2014-0160 Debian Bug
: 743883
A vulnerability has been discovered in OpenSSL's support for
the TLS/DTLS Hearbeat extension. Up to 64KB of memory from
either client or server can be recovered by an attacker This
vulnerability might allow an attacker to compromise the private
key and other sensitive data in memory.
All users are urged to upgrade their openssl packages
(especially libssl1.0.0) and restart applications as soon as
possible.
According to the currently available information, private keys
should be considered as compromised and regenerated as soon as
possible. More details will be communicated at a later time.
The oldstable distribution (squeeze) is not affected by this
vulnerability.
For the stable distribution (wheezy), this problem has been
fixed in version 1.0.1e-2+deb7u5.
For the testing distribution (jessie), this problem has been
fixed in version 1.0.1g-1.
For the unstable distribution (sid), this problem has been
fixed in version 1.0.1g-1.
We recommend that you upgrade your openssl packages.
Further information about Debian Security Advisories, how to
apply these updates to your system and frequently asked
questions can be found at: http://www.debian.org/security/
Mailing list: debian-security-annou...@lists.debian.org
>>
>>
>> -- To UNSUBSCRIBE, email to
>> debian-security-requ...@lists.debian.org with a subject of
>> "unsubscribe". Trouble? Contact listmas...@lists.debian.org
>> Archive: https://lists.debian.org/534809aa.2000...@noflag.org.uk
>>
>>
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBCgAGBQJTSJ6JAAoJEJhsX8U2K7jUalEH/1z4Se3I715yhKe0CKmA67qU
ngPQO8OxRmq9NxdWz+S5+htXEoX8MIF0PF6MIqNmN9toMhBEgGObTuG0UlxRgVa7
6T/6JaWm45Ivl3m8t8enwRddunjFWKTU4/M91eOOsdTmGt8Y7CHuYtN3NoPUMVHf
vUQeyMuWIawS+HiJl0eXTVb3522jVavnkh/WKOTcHGUeTSBBt95DErG2cldCuIXY
Vbru6nsAgNdEwL7dOxpqtsyXNWfCoBJCjsDAZD2nNs1z12Zv0Dx/GHvXf9z2HnH2
3+MIXS2nzgd1+F+tzzNxXlVergp3Q9zLlELckmJwTpvKDrF/hc0eHBYosn2m05k=
=N86v
-END PGP SIGNATURE-
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/53489e89.2070...@noflag.org.uk
