閱讀文章 - 看板 FB_security

發信人mohacsi@niif.hu (Mohacsi Janos),

看板FB_security

標題Re: CVE-2014-0160?

發信站NCTU CS FreeBSD Server (Fri Apr 11 21:46:10 2014)

轉信站ptt!csnews.cs.nctu!news.cednctu!FreeBSD.cs.nctu!.POSTED!freebsd.org!ow

On Fri, 11 Apr 2014, sbremal@hotmail.com wrote: > Hello > > Could anyone comment this? Worry, not to worry, upgrade, upgrade to what = version? > > There are few contradicting information coming out in regards to the chec= k of my server related to the 'heartbleed' bug: > > 1. http://heartbleed.com/ > > ... > Status of different versions: > > --->=A0=A0=A0 OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable > =A0=A0=A0 OpenSSL 1.0.1g is NOT vulnerable > =A0=A0=A0 OpenSSL 1.0.0 branch is NOT vulnerable > =A0=A0=A0 OpenSSL 0.9.8 branch is NOT vulnerable > ... > How about operating systems? > > Some operating system distributions that have shipped with potentially vu= lnerable OpenSSL version: > > =A0=A0=A0 Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4 > =A0=A0=A0 Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11 > =A0=A0=A0 CentOS 6.5, OpenSSL 1.0.1e-15 > =A0=A0=A0 Fedora 18, OpenSSL 1.0.1e-4 > =A0=A0=A0 OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1= c 10 May 2012) > --->=A0=A0=A0 FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013 > =A0=A0=A0 NetBSD 5.0.2 (OpenSSL 1.0.1e) > =A0=A0=A0 OpenSUSE 12.2 (OpenSSL 1.0.1c) Consult: http://www.freebsd.org/security/advisories.html and http://www.freebsd.org/security/advisories/FreeBSD-SA-14:06.openssl.asc > > Operating system distribution with versions that are not vulnerable: > > =A0=A0=A0 Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14 > =A0=A0=A0 SUSE Linux Enterprise Server > =A0=A0=A0 FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013 > =A0=A0=A0 FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013 > --->=A0=A0=A0 FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC) Freebsd ports updated: http://svnweb.freebsd.org/ports/head/security/openssl/ > ... > > 2. lynx -dump -head http://localhost/ > > HTTP/1.1 200 OK > Date: Fri, 11 Apr 2014 08:10:11 GMT > Server: Apache/2.2.26 (FreeBSD) PHP/5.4.24 SVN/1.7.14 mod_ssl/2.2.26 > ---> OpenSSL/1.0.1e-freebsd > DAV/2 mod_python/3.3.1 Python/2.7.6 mod_perl/2.0.8 Perl/v5.16.3 > Last-Modified: Wed, 12 Feb 2014 13:29:34 GMT > ETag: "278b56-2c-4f235903dcb80" > Accept-Ranges: bytes > Content-Length: 44 > Connection: close > Content-Type: text/html > > 3. http://possible.lv/tools/hb/?domain=3Dxxx > > ext 65281 (renegotiation info, length=3D1) > ext 00011 (EC point formats, length=3D4) > ext 00035 (session ticket, length=3D0) > ext 00015 (heartbeat, length=3D1) <-- Your server supports heartbeat. Bug= is possible when linking against OpenSSL 1.0.1f or older. Let me check. > Actively checking if CVE-2014-0160 works: Server is vulnerable to all att= acks tested, please upgrade software ASAP. > > 4. pkg audit > > 0 problem(s) in the installed packages found. Probably you use openssl form base system not from packages. > > > Cheers > B. > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" > _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"