<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Remember, you can build it yourself, if
that helps. <br>
<br>
On 04/10/2014 02:55 PM, Rob Stampfli wrote:<br>
</div>
<blockquote cite="mid:20140410185551.GA30125@pandora" type="cite">
<pre wrap="">I have several virtual servers. They are currently all running CentOS 6.
When news of the Heartbleed bug broke, I did a "yum update" and saw CentOS
has pushed down some updates to the openssl package. However, its version
number indicates "OpenSSL 1.0.1e-fips 11 Feb 2013", so I suspect it is not
patched for Heartbleed.</pre>
</blockquote>
<br>
Also check if OpenSSL 0.9.8 is available, or OpenSSL 1.0.0. It's the
1.0.1 series which had the problem. <br>
<br>
And like Roberto said, a patch could have been retro-applied. (As
you also hint at below.) <br>
<br>
<blockquote cite="mid:20140410185551.GA30125@pandora" type="cite">
<pre wrap="">1. Anyone know when the major Linux releases will come out with a patch
for Heartbleed? Will openssl be pulled up to version 1.0.8 or will
they port the patch back to their current version of openssl?</pre>
</blockquote>
<br>
RedHat often back-ports an update, and CentOS follows RedHat. (But I
cannot say with authority what CentOS will do. Someone else will
have to speak about that.) <br>
<br>
<blockquote cite="mid:20140410185551.GA30125@pandora" type="cite">
<pre wrap="">2. What services are affected? I presume https (but I really dont use
it on my servers). But, ssh? smtp (TSLv2/SSLv3)? What needs to
be addressed?</pre>
</blockquote>
<br>
You'll have to check the dependency/co-req/pre-req list for each
package. SMTP, IMAP, HTTP, SSH, most of the popular chat protocols,
... all have an SSL/TLS mode these days. (And that's a good thing.)
But OpenSSL is not the only provider. Some packages are built
against GnuTLS. And Mozilla has their own SSL library. <br>
<br>
So ... it's only OpenSSL and only the 1.0.1 thru 1.0.1f series that
are affected. <br>
<br>
Also, some packages may link statically. For such packages, swapping
out OpenSSL won't help at all. (pros and cons about static linkage)
<br>
<br>
<blockquote cite="mid:20140410185551.GA30125@pandora" type="cite">
<pre wrap="">3. Can we presume that the major players who are affected (Yahoo, Gmail,
Facebook, Amazon...) have patched their servers already? It seems
to me that changing one's password on a service which is still
vulnerable is worse than doing nothing at all.</pre>
</blockquote>
<br>
Exactly! And some advice being published says this very thing.
Change your password, but be prepared to change it again, or wait a
suitable amount of time. And if a given player announces "we've
fixed our site", that is the time to actually pull the trigger. <br>
<br>
One colleague said that there is a lot of over-reaction. <br>
<br>
<blockquote cite="mid:20140410185551.GA30125@pandora" type="cite">
<pre wrap="">Any ideas?</pre>
</blockquote>
<br>
Download the fixed OpenSSL and build it yourself. <br>
This is <u>not always practical</u>, but personally I cannot stand
to be painted into a corner where I cannot take such action on my
own. The two reasons my career flounders in the FOSS river is that
#1 I want the freedom to control the code (not hindered from copying
it, changing it, whatever) and #2 I don't want to be stuck waiting
on some outside party to fix problems. <br>
<br>
-- R; <><<br>
<br>
<br>
<br>
</body>
</html>