[ale] OpenSSL Broken, Upgrade Now

Adrya Stembridge adrya.stembridge at gmail.com
Wed Apr 16 10:48:43 EDT 2014


Vulnerable OpenSSL versions are
1.0.1f
1.0.1e
1.0.1d
1.0.1c
1.0.1b
1.0.1a
1.0.1



On Wed, Apr 16, 2014 at 10:32 AM, Jay Lozier <jslozier at gmail.com> wrote:

> Hi
>
> I believe the patched version is OpenSSL 1.0.1g 7 Apr 2014
>
> Jay
> On 04/16/2014 10:24 AM, Paul Cartwright wrote:
>
>> I ran that and also got the same:
>> openssl
>> OpenSSL> version
>> OpenSSL 1.0.1e-fips 11 Feb 2013
>>
>> openssl.x86_64 1:1.0.1e-37.fc20.1 @updates
>> openssl-libs.i686 1:1.0.1e-37.fc20.1 @updates
>> openssl-libs.x86_64 1:1.0.1e-37.fc20.1 @update
>>
>>
>> but I just got an updated openssl recently..
>>
>>>
>>> Yes and it is using the affected version. You need to patch.
>>>
>>> You can figure out your version of openssl by:
>>>
>>> Typing “openssl”
>>>
>>> At prompt type “version”.
>>>
>>> *From:*ale-bounces at ale.org [mailto:ale-bounces at ale.org] *On Behalf Of
>>> *Jim Kinney
>>> *Sent:* Wednesday, April 16, 2014 8:38 AM
>>> *To:* Atlanta Linux Enthusiasts
>>> *Subject:* Re: [ale] OpenSSL Broken, Upgrade Now
>>>
>>> If I run ssh -v user at host I see:
>>>
>>> OpenSSH_6.4, OpenSSL 1.0.1e-fips 11 Feb 2013
>>> debug1: Reading configuration data /etc/ssh/ssh_config
>>> debug1: /etc/ssh/ssh_config line 51: Applying options for *
>>> ...
>>>
>>> So is OpenSSH _using_ OpenSSL for encryption processes?
>>>
>>> On Tue, Apr 15, 2014 at 1:07 PM, Jim Kinney <jim.kinney at gmail.com<mailto:
>>> jim.kinney at gmail.com>> wrote:
>>>
>>> Heartbleed bug also affects android phones with Jelly Bean version
>>>
>>> http://www.theguardian.com/technology/2014/apr/15/
>>> heartbleed-android-phones-vulnerable-data-shows
>>>
>>> On Mon, Apr 7, 2014 at 7:14 PM, David Tomaschik <
>>> david at systemoverlord.com <mailto:david at systemoverlord.com>> wrote:
>>>
>>>     TL;DR: Upgrade OpenSSL to >= 1.0.1g immediately, consider
>>>     replacing keys. Not as bad as Debian OpenSSL bug, but worse than
>>>     "goto fail;".
>>>
>>>     "The Heartbleed Bug is a serious vulnerability in the popular
>>>     OpenSSL cryptographic software library. This weakness allows
>>>     stealing the information protected, under normal conditions, by
>>>     the SSL/TLS encryption used to secure the Internet. SSL/TLS
>>>     provides communication security and privacy over the Internet for
>>>     applications such as web, email, instant messaging (IM) and some
>>>     virtual private networks (VPNs).
>>>
>>>     The Heartbleed bug allows anyone on the Internet to read the
>>>     memory of the systems protected by the vulnerable versions of the
>>>     OpenSSL software. This compromises the secret keys used to
>>>     identify the service providers and to encrypt the traffic, the
>>>     names and passwords of the users and the actual content. This
>>>     allows attackers to eavesdrop communications, steal data directly
>>>     from the services and users and to impersonate services and users."
>>>
>>>     http://heartbleed.com
>>>
>>>     --     David Tomaschik
>>>     OpenPGP: 0x5DEA789B
>>>     http://systemoverlord.com
>>>     david at systemoverlord.com <mailto:david at systemoverlord.com>
>>>
>>>     _______________________________________________
>>>     Ale mailing list
>>>     Ale at ale.org <mailto:Ale at ale.org>
>>>     http://mail.ale.org/mailman/listinfo/ale
>>>     See JOBS, ANNOUNCE and SCHOOLS lists at
>>>     http://mail.ale.org/mailman/listinfo
>>>
>>>
>>>
>>>
>>> --
>>>
>>> --
>>> James P. Kinney III
>>> /
>>> /Every time you stop a school, you will have to build a jail. What you
>>> gain at one end you lose at the other. It's like feeding a dog on his own
>>> tail. It won't fatten the dog.
>>> - Speech 11/23/1900 Mark Twain
>>> /
>>> http://heretothereideas.blogspot.com//
>>>
>>>
>>>
>>>
>>> --
>>>
>>> --
>>> James P. Kinney III
>>> /
>>> /Every time you stop a school, you will have to build a jail. What you
>>> gain at one end you lose at the other. It's like feeding a dog on his own
>>> tail. It won't fatten the dog.
>>> - Speech 11/23/1900 Mark Twain
>>> /
>>> http://heretothereideas.blogspot.com//
>>>
>>> Athena®, Created for the Cause™
>>>
>>> Making a Difference in the Fight Against Breast Cancer
>>>
>>> ---------------------------------
>>> CONFIDENTIALITY NOTICE: This e-mail may contain privileged or
>>> confidential information and is for the sole use of the intended
>>> recipient(s). If you are not the intended recipient, any disclosure,
>>> copying, distribution, or use of the contents of this information is
>>> prohibited and may be unlawful. If you have received this electronic
>>> transmission in error, please reply immediately to the sender that you have
>>> received the message in error, and delete it. Thank you.
>>> ----------------------------------
>>>
>>>
>>>
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> http://mail.ale.org/mailman/listinfo/ale
>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>> http://mail.ale.org/mailman/listinfo
>>>
>>
>>
>> --
>> Paul Cartwright
>> Registered Linux User #367800 and new counter #561587
>>
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>
> --
> Jay Lozier
> jslozier at gmail.com
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20140416/a670cb49/attachment.html>


More information about the Ale mailing list