[colug-432] Heartbleed Heartburn

Roberto C. Sánchez roberto at connexer.com
Thu Apr 10 15:20:00 EDT 2014 

On Thu, Apr 10, 2014 at 02:55:51PM -0400, Rob Stampfli wrote:
> I have several virtual servers.  They are currently all running CentOS 6.
> When news of the Heartbleed bug broke, I did a "yum update" and saw CentOS
> has pushed down some updates to the openssl package.  However, its version
> number indicates "OpenSSL 1.0.1e-fips 11 Feb 2013", so I suspect it is not
> patched for Heartbleed.
> 
That may not be correct.  You should check the package changelog, which
would note any security vulnerabilities which have been patched.  For
example, on Debian 7.4, the current libssl1.0.0 package carries version
number 1.0.1e-2+deb7u6 (you will recall that 1.0.1e is a vulnerable
version).  However, the package changelog contains this entry:

  * Add CVE-2014-0160.patch patch.
    CVE-2014-0160: Fix TLS/DTLS hearbeat information disclosure.
    A missing bounds check in the handling of the TLS heartbeat extension
    can be used to reveal up to 64k of memory to a connected client or
    server.

> A couple questions:
> 
> 1.  Anyone know when the major Linux releases will come out with a patch
>     for Heartbleed?  Will openssl be pulled up to version 1.0.8 or will
>     they port the patch back to their current version of openssl?
> 
Debian has had theirs out for about 3 days now.  I imagine that RedHat
and others are on a similar timeline.

> 2.  What services are affected?  I presume https (but I really dont use
>     it on my servers).  But, ssh?  smtp (TSLv2/SSLv3)?  What needs to
>     be addressed?
> 
Anything linked against libssl which exposes some sort of
network-accessible service.

> 3.  Can we presume that the major players who are affected (Yahoo, Gmail,
>     Facebook, Amazon...) have patched their servers already?  It seems
>     to me that changing one's password on a service which is still
>     vulnerable is worse than doing nothing at all.
> 
That may not be a valid assumption.  When you have a production setup
running dozens, hundreds, or even thousands of servers, you generally
have a process whereby you install the fix in a development environment
first to do the initial testing/compilation with your production
software.  Then you promote to testing and do some sort of regression
testing.  Then you promote into production.  They are probably working
24/7 to make it happen and some may have deployed a fix by now.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com

More information about the colug-432 mailing list