I have applied all patched to my OpenSUSE 13.1 server and restarted Apache, but https://www.ssllabs.com/ssltest/analyze.html says I am still vulnerable to heartbleed. What else must I do?
On Fri, Apr 11, 2014 at 08:18:55AM -0400, James Rome wrote:
I have applied all patched to my OpenSUSE 13.1 server and restarted Apache, but https://www.ssllabs.com/ssltest/analyze.html says I am still vulnerable to heartbleed. What else must I do?
check with "zypper ps" if there are processes active that still use the old libssl.
Check with rpm -q libopenssl1_0_0 --changelog|less if the fix is in the rpm. (CVE-2014-0160)
Ciao, Marcus
On Fri, Apr 11, 2014 at 08:18:55AM -0400, James Rome wrote:
I have applied all patched to my OpenSUSE 13.1 server and restarted Apache, but https://www.ssllabs.com/ssltest/analyze.html says I am still vulnerable to heartbleed. What else must I do?
Looking at the current git code checkout of openssl, right where it has been reviewed and patched for this heartbleed thing, we see unchecked malloc... code like this:
buf = OPENSSL_malloc(1 + 2 + payload + padding); p = buf; *p++ = TLS1_HB_REQUEST;
Just wondering ... I mean, that code has just been reviewed, those very lines have been patched, and there is still a potential (however unlikely) NULL pointer deref inside the lib code?
if (!buffer) /* ignore */ ...
Seems like the obvious choice...
Cheers,
Lars Ellenberg
-
James Rome -
Lars Ellenberg -
Marcus Meissner