[colug-432] Heartbleed Heartburn
Rob Funk
rfunk at funknet.net
Thu Apr 10 15:51:36 EDT 2014
Rob Stampfli wrote:
> However, its version
> number indicates "OpenSSL 1.0.1e-fips 11 Feb 2013", so I suspect it is not
> patched for Heartbleed.
Check the changelog to be sure.
> 1. Anyone know when the major Linux releases will come out with a patch
> for Heartbleed? Will openssl be pulled up to version 1.0.8 or will
> they port the patch back to their current version of openssl?
I would expect the major ones all to have updates by now. In fact I
would've expected them to have updates by yesterday morning.
> 2. What services are affected? I presume https (but I really dont use
> it on my servers). But, ssh? smtp (TSLv2/SSLv3)? What needs to
> be addressed?
In this case, anything that exposes the SSL/TLS protocol to the
internet. That includes https, pop3s, imaps, secure-smtp, but not SSH.
You can test each service port on your server (or someone else's)
using the tool here: http://filippo.io/Heartbleed/
(You can either use the online tool or downlown it and run it from
your own machine.)
> 3. Can we presume that the major players who are affected (Yahoo, Gmail,
> Facebook, Amazon...) have patched their servers already?
One would hope, and by now I think the answer is yes for all those (I
guess Yahoo was a bit slower than others), but it's best to check.
Various people are trying to track who's still vulnerable and who
isn't, for example:
http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/
> It seems to me that changing one's password on a service which is
> still vulnerable is worse than doing nothing at all.
True. Don't change your password until you know the site is not
vulnerable.
This is one time when I'm really glad I haven't gotten around to
upgrading my server from Ubuntu 10.04 yet. :-)
More information about the colug-432
mailing list