nanog mailing list archives
Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed"
From: "Patrick W. Gilmore" <patrick () ianai net>
Date: Tue, 8 Apr 2014 12:16:12 -0400
Lots of tools available. I'm with ferg, surprised more haven't been mentioned here. Tools to check for the bug: • on your own box: https://github.com/musalbas/heartbleed-masstest/blob/master/ssltest.py • online: http://filippo.io/Heartbleed/ (use carefully as they might log what you check) • online: http://possible.lv/tools/hb/ • offline: https://github.com/tdussa/heartbleed-masstest <--- Tobias Dussa, also Takes a CSV file with host names for input and ports as parameter • offline: http://s3.jspenguin.org/ssltest.py • offline: https://github.com/titanous/heartbleeder List of vulnerable Linux distributions: <http://www.circl.lu/pub/tr-21/>. Anyone have any more? -- TTFN, patrick On Apr 08, 2014, at 12:11 , Jonathan Lassoff <jof () thejof com> wrote:
For testing, I've had good luck with https://github.com/titanous/heartbleeder and https://gist.github.com/takeshixx/10107280 Both are mostly platform-independent, so they should be able to work even if you don't have a modern OpenSSL to test with. Cheers and good luck (you're going to need it), jof On Tue, Apr 8, 2014 at 5:03 PM, Michael Thomas <mike () mtcc com> wrote:Just as a data point, I checked the servers I run and it's a good thing I didn't reflexively update them first. On Centos 6.0, the default openssl is 1.0.0 which supposedly doesn't have the vulnerability, but the ones queued up for update do. I assume that redhat will get the patched version soon but be careful! Mike On 04/07/2014 10:06 PM, Paul Ferguson wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I'm really surprised no one has mentioned this here yet... FYI, - - ferg Begin forwarded message: From: Rich Kulawiec <rsk () gsp org> Subject: Serious bug inubiquitous OpenSSL library: "Heartbleed" Date: April 7, 2014 at 9:27:40 PM EDT This reaches across many versions of Linux and BSD and, I'd presume, into some versions of operating systems based on them. OpenSSL is used in web servers, mail servers, VPNs, and many other places. Writeup: Heartbleed: Serious OpenSSL zero day vulnerability revealed http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability- revealed-7000028166/ Technical details: Heartbleed Bug http://heartbleed.com/ OpenSSL versions affected (from link just above): OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT vulnerable (released today, April 7, 2014) OpenSSL 1.0.0 branch is NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable- -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlNDg9gACgkQKJasdVTchbIrAAD9HzKaElH1Tk0oIomAOoSOvfJf 3Dvt4QB54os4/yewQQ8A/0dhFZ/YuEdA81dkNfR9KIf1ZF72CyslSPxPvkDcTz5e =aAzE -----END PGP SIGNATURE-----
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
Current thread:
- Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed", (continued)
- Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Paul S. (Apr 08)
- Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Alain Hebert (Apr 08)
- Re: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Peter Kristolaitis (Apr 07)
- Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Maxim Khitrov (Apr 07)
- Re: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Randy Bush (Apr 08)
- Re: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Maxim Khitrov (Apr 08)
- Re: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Rob Seastrom (Apr 08)
- Re: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Michael Thomas (Apr 08)
- Re: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Richard Hesse (Apr 08)
- Re: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Jonathan Lassoff (Apr 08)
- Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Patrick W. Gilmore (Apr 08)
- Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Maxim Khitrov (Apr 08)
- Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Me (Apr 08)
- Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed" bmanning (Apr 08)
- Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Rob Seastrom (Apr 08)
- Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed" bmanning (Apr 08)
- Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed" jamie rishaw (Apr 08)
- Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Matt Palmer (Apr 08)
- Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Doug Barton (Apr 08)
- Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Valdis . Kletnieks (Apr 09)
- Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Jima (Apr 09)