I ran away to update a virtual server I run.
Remember on all your openSUSE 12.3 AND 13.1 machines:
sudo zypper in -t patch openSUSE-2014-277
Use "sudo rpm -qa | grep ssl" to confirm you have the latest patched version.
This is the package list from the security announcement:
- openSUSE 13.1 (i586 x86_64):
libopenssl-devel-1.0.1e-11.32.1
libopenssl1_0_0-1.0.1e-11.32.1
libopenssl1_0_0-debuginfo-1.0.1e-11.32.1
openssl-1.0.1e-11.32.1
openssl-debuginfo-1.0.1e-11.32.1
openssl-debugsource-1.0.1e-11.32.1
- openSUSE 13.1 (x86_64):
libopenssl-devel-32bit-1.0.1e-11.32.1
libopenssl1_0_0-32bit-1.0.1e-11.32.1
libopenssl1_0_0-debuginfo-32bit-1.0.1e-11.32.1
- openSUSE 13.1 (noarch):
openssl-doc-1.0.1e-11.32.1
- openSUSE 12.3 (i586 x86_64):
libopenssl-devel-1.0.1e-1.44.1
libopenssl1_0_0-1.0.1e-1.44.1
libopenssl1_0_0-debuginfo-1.0.1e-1.44.1
openssl-1.0.1e-1.44.1
openssl-debuginfo-1.0.1e-1.44.1
openssl-debugsource-1.0.1e-1.44.1
- openSUSE 12.3 (x86_64):
libopenssl-devel-32bit-1.0.1e-1.44.1
libopenssl1_0_0-32bit-1.0.1e-1.44.1
libopenssl1_0_0-debuginfo-32bit-1.0.1e-1.44.1
- openSUSE 12.3 (noarch):
openssl-doc-1.0.1e-1.44.1
My questions below:
On Thu, Apr 10, 2014 at 10:39 AM, Christopher Myers
Well... I applied the patches mentioned in the email I'd sent a few minutes ago to my 12.2 box, and after doing so, the heartbleed python script no longer flags it:
user@computer:~/Desktop/heartbleed> python ssltest.py my.server Connecting... Sending Client Hello... Waiting for Server Hello... ... received message: type = 22, ver = 0302, length = 58 ... received message: type = 22, ver = 0302, length = 1286 ... received message: type = 22, ver = 0302, length = 525 ... received message: type = 22, ver = 0302, length = 4 Sending heartbeat request... Unexpected EOF receiving record header - server closed connection No heartbeat response received, server likely not vulnerable
So, I'm guessing it's ok? No odd issues as of yet.
It it just HTTPS connections we have to worry about. I read that SSH is safe because it doesn't use it does not use the TLS protocol that is the core of the vulnerability. For secure FTP, it uses SSH so that should be safe as well. What about POP / IMAP / SMTP? Do any of those have susceptibility to heartbleed? Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org