[colug-432] Heartbleed Heartburn

Rob Funk rfunk at funknet.net
Thu Apr 10 15:51:36 EDT 2014


Rob Stampfli wrote:
> However, its version
> number indicates "OpenSSL 1.0.1e-fips 11 Feb 2013", so I suspect it is not
> patched for Heartbleed.

Check the changelog to be sure.

> 1.  Anyone know when the major Linux releases will come out with a patch
>     for Heartbleed?  Will openssl be pulled up to version 1.0.8 or will
>     they port the patch back to their current version of openssl?

I would expect the major ones all to have updates by now. In fact I
would've expected them to have updates by yesterday morning.

> 2.  What services are affected?  I presume https (but I really dont use
>     it on my servers).  But, ssh?  smtp (TSLv2/SSLv3)?  What needs to
>     be addressed?

In this case, anything that exposes the SSL/TLS protocol to the
internet. That includes https, pop3s, imaps, secure-smtp, but not SSH.

You can test each service port on your server (or someone else's)
using the tool here:  http://filippo.io/Heartbleed/
(You can either use the online tool or downlown it and run it from
your own machine.)

> 3.  Can we presume that the major players who are affected (Yahoo, Gmail,
>     Facebook, Amazon...) have patched their servers already?

One would hope, and by now I think the answer is yes for all those (I
guess Yahoo was a bit slower than others), but it's best to check.
Various people are trying to track who's still vulnerable and who
isn't, for example:
http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/

>   It seems to me that changing one's password on a service which is
>   still vulnerable is worse than doing nothing at all.

True. Don't change your password until you know the site is not
vulnerable.


This is one time when I'm really glad I haven't gotten around to
upgrading my server from Ubuntu 10.04 yet. :-)



More information about the colug-432 mailing list