nanog mailing list archives

Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed"

From: "Paul S." <contact () winterei se>
Date: Wed, 09 Apr 2014 21:21:50 +0900

If you built anything against the vulnerable library (esp static linkedstuff), you'll need to rebuild those too.


On 4/8/2014 午後 09:18, David Hubbard wrote:

Don't forget to restart every daemon that was using the old library as
well, or just reboot.

-----Original Message-----
From: Peter Kristolaitis [mailto:alter3d () alter3d ca]
Sent: Tuesday, April 08, 2014 1:19 AM
To: nanog () nanog org
Subject: Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed"

Not just run the updates -- all private keys should be changed too, on
the assumption that they've been compromised already.  THAT is going to
be the crappy part of this.

- Pete

On 4/8/2014 1:13 AM, David Hubbard wrote:

RHEL and CentOS both have patches out as of a couple hours ago, so run
those updates!  CentOS' mirrors do not all have it yet, so if you are
updating, make sure you get the
1.0.1e-16.el6_5.7 version and not older.

David

-----Original Message-----
From: Paul Ferguson [mailto:fergdawgster () mykolab com]
Sent: Tuesday, April 08, 2014 1:07 AM
To: NANOG
Subject: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I'm really surprised no one has mentioned this here yet...

FYI,

- - ferg



Begin forwarded message:

From: Rich Kulawiec <rsk () gsp org> Subject: Serious bug in ubiquitous
OpenSSL library: "Heartbleed" Date: April 7, 2014 at 9:27:40 PM EDT

This reaches across many versions of Linux and BSD and, I'd presume,
into some versions of operating systems based on them.
OpenSSL is used in web servers, mail servers, VPNs, and many other
places.

Writeup: Heartbleed: Serious OpenSSL zero day vulnerability revealed
http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerabilit
y
-revealed-7000028166/

   Technical details: Heartbleed Bug http://heartbleed.com/

OpenSSL versions affected (from link just above):  OpenSSL 1.0.1
through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT
vulnerable (released today, April 7, 2014) OpenSSL 1.0.0 branch is
NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable

- --
Paul Ferguson
VP Threat Intelligence, IID
PGP Public Key ID: 0x54DC85B2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlNDg9gACgkQKJasdVTchbIrAAD9HzKaElH1Tk0oIomAOoSOvfJf
3Dvt4QB54os4/yewQQ8A/0dhFZ/YuEdA81dkNfR9KIf1ZF72CyslSPxPvkDcTz5e
=aAzE
-----END PGP SIGNATURE-----

Current thread:

Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Paul Ferguson (Apr 07)
- RE: Serious bug in ubiquitous OpenSSL library: "Heartbleed" David Hubbard (Apr 07)
  - Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Peter Kristolaitis (Apr 07)
    - RE: Serious bug in ubiquitous OpenSSL library: "Heartbleed" David Hubbard (Apr 08)
    - Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Paul S. (Apr 08)
    - Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Alain Hebert (Apr 08)
- Re: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Peter Kristolaitis (Apr 07)
- Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Maxim Khitrov (Apr 07)
- Re: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Randy Bush (Apr 08)
  - Re: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Maxim Khitrov (Apr 08)
  - Re: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Rob Seastrom (Apr 08)
- Re: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Michael Thomas (Apr 08)
  - Re: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Richard Hesse (Apr 08)
  - Re: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Jonathan Lassoff (Apr 08)
    - Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Patrick W. Gilmore (Apr 08)

(Thread continues...)