nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed"

From: Richard Hesse <richard.hesse () weebly com>
Date: Tue, 8 Apr 2014 09:08:50 -0700
The updated CentOS openssl binaries haven't patched the underlying bug, but
they have disabled the heartbeat functionality. By doing so, they've
disabled the attack vector. Once upstream releases a fix, they will
re-enable the heartbeat function with the working patch.

And yes, don't forget to restart any linked services after updating.

-richard


On Tue, Apr 8, 2014 at 9:03 AM, Michael Thomas <mike () mtcc com> wrote:


Just as a data point, I checked the servers I run and it's a good thing I
didn't reflexively update them first.
On Centos 6.0, the default openssl is 1.0.0 which supposedly doesn't have
the vulnerability, but the
ones queued up for update do. I assume that redhat will get the patched
version soon but be careful!

Mike


On 04/07/2014 10:06 PM, Paul Ferguson wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I'm really surprised no one has mentioned this here yet...

FYI,

- - ferg



Begin forwarded message:

 From: Rich Kulawiec <rsk () gsp org> Subject: Serious bug in

ubiquitous OpenSSL library: "Heartbleed" Date: April 7, 2014 at
9:27:40 PM EDT

This reaches across many versions of Linux and BSD and, I'd
presume, into some versions of operating systems based on them.
OpenSSL is used in web servers, mail servers, VPNs, and many other
places.

Writeup: Heartbleed: Serious OpenSSL zero day vulnerability
revealed
http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability-
revealed-7000028166/

  Technical details: Heartbleed Bug http://heartbleed.com/

OpenSSL versions affected (from link just above):  OpenSSL 1.0.1
through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT
vulnerable (released today, April 7, 2014) OpenSSL 1.0.0 branch is
NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable



- -- Paul Ferguson
VP Threat Intelligence, IID
PGP Public Key ID: 0x54DC85B2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlNDg9gACgkQKJasdVTchbIrAAD9HzKaElH1Tk0oIomAOoSOvfJf
3Dvt4QB54os4/yewQQ8A/0dhFZ/YuEdA81dkNfR9KIf1ZF72CyslSPxPvkDcTz5e
=aAzE
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: