OpenSSL security issues

4 Antworten [Letzter Beitrag]
ivaylo
Offline
Beigetreten: 07/26/2010

OpenSSL has a two year old vulnerability that got fixed yesterday. [1]

If you do not use unattended-upgrades, update immediately!

To check your OpenSSL version:
openssl version -a
OpenSSL 1.0.1 14 Mar 2012
built on: Wed Jan 8 20:50:06 UTC 2014

Build date should be post 7th of April 2014

Certificates should be regenerated as well.

Test your websites. [2]

It seems there is no fix for Trisquel yet. [3]

[1] http://heartbleed.com/
[2] http://filippo.io/Heartbleed/
[3] https://trisquel.info/en/issues/11477

islander
Offline
Beigetreten: 05/27/2013

Thank you, ivaylo. Notified our IT guy. We're about to migrate 30+ websites, so you saved us grief down the road! OpenSSL 1.0.1e here - it must be gone ASAP!!! :)

This quote from http://heartbleed.com/ is a major wake-up!

"What leaks in practice?

We have tested some of our own services from attacker's perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication."

Keep up up the great work Trisquel forum members!
You guys Rock & always ... do good things!

ivaylo
Offline
Beigetreten: 07/26/2010

Check the build date. The patched version on Debian/Ubuntu/Trisquel (based) systems fixes the issue itself, but the version string stays unchanged. Use a scanner to check the websites. A restart of the web server is also needed. Otherwise scanners still report the target as affected.

Platypus333
Offline
Beigetreten: 12/10/2010

An updated openssl is now available for Trisquel.

At least in the es.archive.trisquel.info repos, it is.

ivaylo
Offline
Beigetreten: 07/26/2010

Yes, Ruben confirmed on IRC that the issue is solved. I'm closing the bug in the issue tracker as well.