Ted Byers 04/10/14 12:45 PM >>> On Thu, Apr 10, 2014 at 12:51 PM, Greg Freemyer wrote: On Thu, Apr 10, 2014 at 12:37 PM, Ted Byers wrote: Thanks, see below:
On Thu, Apr 10, 2014 at 12:34 PM, Andrey Borzenkov wrote:
В Thu, 10 Apr 2014 12:16:21 -0400 Ted Byers пишет:
It is good to know that there is a fix, but....
On Wed, Apr 9, 2014 at 7:22 PM, Cristian Rodríguez wrote:
El 09/04/14 19:53, Matt Darnell escribió:
[[[ To any NSA and FBI agents reading my email: please consider
]]]
[[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
Question, has OpenSUSE 13.1 been affected by this? Also has
their been a
secure fix for this, and if their is a fix has it been tested and did it work?
Fixes has been released already for 13.1.. zypper patch is your best friend.
How is it that YaST does not seem to know about it? 'openssl version' reports version 1.0.12 from Feb. 11, 2013.
It must be a typo, this version does not yet exist.
Yes, that was a typo. It was supposed to be version 1.0.1e
I normally use just YaST and the notifications I get to apply any updates. Do Zypper and YaST play nicely together?
I have never used Zypper before, so I read it's docs, and it seems 'zypper patch' will apply all available patches for anything that
is
installed (is that right?), but before I run it, I'd like to know if doing so will interfere, in a bad way, with my current use of YaST to apply updates.
No.
Great, Thanks. Guess what I'll be doing after lunch. ;-)
It only takes 10 seconds to pull this specific patch:
sudo zypper in -t patch openSUSE-2014-277
Greg
I tried that command, and it tells me that patch:openSUSE-2014-277 is already installed. I suppose YaST had picked it up. But openssl :version still reports version 1.0.1e. Was the patch just applying the fix to version 1.0.1e, and not an upgrade to version 1.0.1g?
As the machine I tried this on is not hosting a web service that is accessible outside my LAN, how can I check whether or not my system is vulnerable? (i.e. that the patch was properly applied and the version numbers displayed are just confusing?) Perhaps a Perl script (or, since this is my development machine, C++ source code that can be compiled and run)? I know I could Google this, but, given the severity of the vulnerability, I'd rather rely on recommendations from experts here rather than something from an unknown source (I really do not want to have to analyze a lot of source code to ensure it does not introduce something nasty to my system, especially since I am the furthest thing from a security systems engineer - I know nothing about openssl source or how it is supposed to work).
Thanks
Ted -- R.E.(Ted) Byers, Ph.D.,Ed.D.
You can download a copy of the ssltest python script here: http://pastebin.com/WmxzjkXJ then run it as: cmyers@chrismyers:~/Desktop/heartbleed> python ssltest.py my.millikin.edu and it should (hopefully) say something like: Connecting... Sending Client Hello... Waiting for Server Hello... ... received message: type = 22, ver = 0302, length = 53 ... received message: type = 22, ver = 0302, length = 1201 ... received message: type = 22, ver = 0302, length = 4 Sending heartbeat request... Unexpected EOF receiving record header - server closed connection No heartbeat response received, server likely not vulnerable -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org