On April 10, 2014 4:45:16 AM EDT, Dsant <forum@votreservice.com> wrote:
Le 10/04/2014 01:22, Cristian Rodríguez a écrit :
El 09/04/14 19:53, Matt Darnell escribió:
[[[ To any NSA and FBI agents reading my email: please consider
]]]
[[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
Question, has OpenSUSE 13.1 been affected by this? Also has their been a secure fix for this, and if their is a fix has it been tested and did it work?
Fixes has been released already for 13.1.. zypper patch is your best friend Will "zypper up" be enough ? Or within some time ?
This is a critical bug/vulnerability with huge impacts. Maybe the worst to ever effect Linux, but it only affects the server side of a SSL connection as I understand it. For most opensuse users it is not an issue from an admin perspective. As users of the internet, this bug means everything transferred across the internet in the last 2 years that depended solely on SSL for security should be considered potentially breached. That assumes the server end of the connection was running a vulnerable version of openSSL, but as normal users you have to assume that. That means the best practice for all users (including MS users) is to change all passwords used on the internet and watch credit info closely. Then give your internet providers (isps/SAAS providers/banks/stores/auction sites) some time to fix their end and do it all again. I don't know how to test those providers to see if they are secure or not. I'm sure guidance will be forthcoming. Assuming you are running a server serving encrypted data via openSSL: Zypper up should be a superset of zypper patch, so yes it should get it but if this is important to you then don't just assume it will work. Get the openSSL patch, install it and read the description of the installed patch to make sure you have it. Then, if it is important to you, you have a security key you use in conjunction with openSSL to serve secure data. You should consider your key breached. That means that key needs to be replaced with a new one. That is manual work and you may have to go buy a new one if it is a registered key. It should be done after you get the openSSL security patch installed on every machine in your network that uses the same key and openSSL. Normally that is only one machine, but some web farms share a key between machines. Greg -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org