OpenSSL security issues
OpenSSL has a two year old vulnerability that got fixed yesterday. [1]
If you do not use unattended-upgrades, update immediately!
To check your OpenSSL version:
openssl version -a
OpenSSL 1.0.1 14 Mar 2012
built on: Wed Jan 8 20:50:06 UTC 2014
Build date should be post 7th of April 2014
Certificates should be regenerated as well.
Test your websites. [2]
It seems there is no fix for Trisquel yet. [3]
[1] http://heartbleed.com/
[2] http://filippo.io/Heartbleed/
[3] https://trisquel.info/en/issues/11477
Thank you, ivaylo. Notified our IT guy. We're about to migrate 30+ websites, so you saved us grief down the road! OpenSSL 1.0.1e here - it must be gone ASAP!!! :)
This quote from http://heartbleed.com/ is a major wake-up!
"What leaks in practice?
We have tested some of our own services from attacker's perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication."
Keep up up the great work Trisquel forum members!
You guys Rock & always ... do good things!
Check the build date. The patched version on Debian/Ubuntu/Trisquel (based) systems fixes the issue itself, but the version string stays unchanged. Use a scanner to check the websites. A restart of the web server is also needed. Otherwise scanners still report the target as affected.
An updated openssl is now available for Trisquel.
At least in the es.archive.trisquel.info repos, it is.
Yes, Ruben confirmed on IRC that the issue is solved. I'm closing the bug in the issue tracker as well.