[ale] OpenSSL Broken, Upgrade Now

Jay Lozier jslozier at gmail.com
Wed Apr 16 10:32:04 EDT 2014


Hi

I believe the patched version is OpenSSL 1.0.1g 7 Apr 2014

Jay
On 04/16/2014 10:24 AM, Paul Cartwright wrote:
> I ran that and also got the same:
> openssl
> OpenSSL> version
> OpenSSL 1.0.1e-fips 11 Feb 2013
>
> openssl.x86_64 1:1.0.1e-37.fc20.1 @updates
> openssl-libs.i686 1:1.0.1e-37.fc20.1 @updates
> openssl-libs.x86_64 1:1.0.1e-37.fc20.1 @update
>
>
> but I just got an updated openssl recently..
>>
>> Yes and it is using the affected version. You need to patch.
>>
>> You can figure out your version of openssl by:
>>
>> Typing “openssl”
>>
>> At prompt type “version”.
>>
>> *From:*ale-bounces at ale.org [mailto:ale-bounces at ale.org] *On Behalf Of 
>> *Jim Kinney
>> *Sent:* Wednesday, April 16, 2014 8:38 AM
>> *To:* Atlanta Linux Enthusiasts
>> *Subject:* Re: [ale] OpenSSL Broken, Upgrade Now
>>
>> If I run ssh -v user at host I see:
>>
>> OpenSSH_6.4, OpenSSL 1.0.1e-fips 11 Feb 2013
>> debug1: Reading configuration data /etc/ssh/ssh_config
>> debug1: /etc/ssh/ssh_config line 51: Applying options for *
>> ...
>>
>> So is OpenSSH _using_ OpenSSL for encryption processes?
>>
>> On Tue, Apr 15, 2014 at 1:07 PM, Jim Kinney <jim.kinney at gmail.com 
>> <mailto:jim.kinney at gmail.com>> wrote:
>>
>> Heartbleed bug also affects android phones with Jelly Bean version
>>
>> http://www.theguardian.com/technology/2014/apr/15/heartbleed-android-phones-vulnerable-data-shows
>>
>> On Mon, Apr 7, 2014 at 7:14 PM, David Tomaschik 
>> <david at systemoverlord.com <mailto:david at systemoverlord.com>> wrote:
>>
>>     TL;DR: Upgrade OpenSSL to >= 1.0.1g immediately, consider
>>     replacing keys. Not as bad as Debian OpenSSL bug, but worse than
>>     "goto fail;".
>>
>>     "The Heartbleed Bug is a serious vulnerability in the popular
>>     OpenSSL cryptographic software library. This weakness allows
>>     stealing the information protected, under normal conditions, by
>>     the SSL/TLS encryption used to secure the Internet. SSL/TLS
>>     provides communication security and privacy over the Internet for
>>     applications such as web, email, instant messaging (IM) and some
>>     virtual private networks (VPNs).
>>
>>     The Heartbleed bug allows anyone on the Internet to read the
>>     memory of the systems protected by the vulnerable versions of the
>>     OpenSSL software. This compromises the secret keys used to
>>     identify the service providers and to encrypt the traffic, the
>>     names and passwords of the users and the actual content. This
>>     allows attackers to eavesdrop communications, steal data directly
>>     from the services and users and to impersonate services and users."
>>
>>     http://heartbleed.com
>>
>>     -- 
>>     David Tomaschik
>>     OpenPGP: 0x5DEA789B
>>     http://systemoverlord.com
>>     david at systemoverlord.com <mailto:david at systemoverlord.com>
>>
>>     _______________________________________________
>>     Ale mailing list
>>     Ale at ale.org <mailto:Ale at ale.org>
>>     http://mail.ale.org/mailman/listinfo/ale
>>     See JOBS, ANNOUNCE and SCHOOLS lists at
>>     http://mail.ale.org/mailman/listinfo
>>
>>
>>
>>
>> -- 
>>
>> -- 
>> James P. Kinney III
>> /
>> /Every time you stop a school, you will have to build a jail. What 
>> you gain at one end you lose at the other. It's like feeding a dog on 
>> his own tail. It won't fatten the dog.
>> - Speech 11/23/1900 Mark Twain
>> /
>> http://heretothereideas.blogspot.com//
>>
>>
>>
>>
>> -- 
>>
>> -- 
>> James P. Kinney III
>> /
>> /Every time you stop a school, you will have to build a jail. What 
>> you gain at one end you lose at the other. It's like feeding a dog on 
>> his own tail. It won't fatten the dog.
>> - Speech 11/23/1900 Mark Twain
>> /
>> http://heretothereideas.blogspot.com//
>>
>> Athena®, Created for the Cause™
>>
>> Making a Difference in the Fight Against Breast Cancer
>>
>> ---------------------------------
>> CONFIDENTIALITY NOTICE: This e-mail may contain privileged or 
>> confidential information and is for the sole use of the intended 
>> recipient(s). If you are not the intended recipient, any disclosure, 
>> copying, distribution, or use of the contents of this information is 
>> prohibited and may be unlawful. If you have received this electronic 
>> transmission in error, please reply immediately to the sender that 
>> you have received the message in error, and delete it. Thank you.
>> ----------------------------------
>>
>>
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>
>
> -- 
> Paul Cartwright
> Registered Linux User #367800 and new counter #561587
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo

-- 
Jay Lozier
jslozier at gmail.com



More information about the Ale mailing list