[colug-432] Heartbleed Heartburn

Thu Apr 10 15:37:23 EDT 2014

Remember, you can build it yourself, if that helps.

On 04/10/2014 02:55 PM, Rob Stampfli wrote:
> I have several virtual servers.  They are currently all running CentOS 6.
> When news of the Heartbleed bug broke, I did a "yum update" and saw CentOS
> has pushed down some updates to the openssl package.  However, its version
> number indicates "OpenSSL 1.0.1e-fips 11 Feb 2013", so I suspect it is not
> patched for Heartbleed.

Also check if OpenSSL 0.9.8 is available, or OpenSSL 1.0.0. It's the
1.0.1 series which had the problem.

And like Roberto said, a patch could have been retro-applied. (As you
also hint at below.)

> 1.  Anyone know when the major Linux releases will come out with a patch
>     for Heartbleed?  Will openssl be pulled up to version 1.0.8 or will
>     they port the patch back to their current version of openssl?

RedHat often back-ports an update, and CentOS follows RedHat. (But I
cannot say with authority what CentOS will do. Someone else will have to
speak about that.)

> 2.  What services are affected?  I presume https (but I really dont use
>     it on my servers).  But, ssh?  smtp (TSLv2/SSLv3)?  What needs to
>     be addressed?

You'll have to check the dependency/co-req/pre-req list for each
package. SMTP, IMAP, HTTP, SSH, most of the popular chat protocols, ...
all have an SSL/TLS mode these days. (And that's a good thing.) But
OpenSSL is not the only provider. Some packages are built against
GnuTLS. And Mozilla has their own SSL library.

So ... it's only OpenSSL and only the 1.0.1 thru 1.0.1f series that are
affected.

Also, some packages may link statically. For such packages, swapping out
OpenSSL won't help at all. (pros and cons about static linkage)

> 3.  Can we presume that the major players who are affected (Yahoo, Gmail,
>     Facebook, Amazon...) have patched their servers already?  It seems
>     to me that changing one's password on a service which is still
>     vulnerable is worse than doing nothing at all.

Exactly! And some advice being published says this very thing. Change
your password, but be prepared to change it again, or wait a suitable
amount of time. And if a given player announces "we've fixed our site",
that is the time to actually pull the trigger.

One colleague said that there is a lot of over-reaction.

> Any ideas?

Download the fixed OpenSSL and build it yourself.
This is _not always practical_, but personally I cannot stand to be
painted into a corner where I cannot take such action on my own. The two
reasons my career flounders in the FOSS river is that #1 I want the
freedom to control the code (not hindered from copying it, changing it,
whatever) and #2 I don't want to be stuck waiting on some outside party
to fix problems.

-- R; <><

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20140410/0582afe5/attachment.html 