[ale] OpenSSL Broken, Upgrade Now
Beddingfield, Allen
allen at ua.edu
Wed Apr 16 10:34:42 EDT 2014
You can't necessarily go by the version #, though. For example, Red Hat backported the fix into the version they shipped with the OS, instead of incrementing the version #.
Allen B.
--
Allen Beddingfield
Systems Engineer
The University of Alabama
________________________________________
From: ale-bounces at ale.org [ale-bounces at ale.org] on behalf of Jay Lozier [jslozier at gmail.com]
Sent: Wednesday, April 16, 2014 9:32 AM
To: ale at ale.org
Subject: Re: [ale] OpenSSL Broken, Upgrade Now
Hi
I believe the patched version is OpenSSL 1.0.1g 7 Apr 2014
Jay
On 04/16/2014 10:24 AM, Paul Cartwright wrote:
> I ran that and also got the same:
> openssl
> OpenSSL> version
> OpenSSL 1.0.1e-fips 11 Feb 2013
>
> openssl.x86_64 1:1.0.1e-37.fc20.1 @updates
> openssl-libs.i686 1:1.0.1e-37.fc20.1 @updates
> openssl-libs.x86_64 1:1.0.1e-37.fc20.1 @update
>
>
> but I just got an updated openssl recently..
>>
>> Yes and it is using the affected version. You need to patch.
>>
>> You can figure out your version of openssl by:
>>
>> Typing “openssl”
>>
>> At prompt type “version”.
>>
>> *From:*ale-bounces at ale.org [mailto:ale-bounces at ale.org] *On Behalf Of
>> *Jim Kinney
>> *Sent:* Wednesday, April 16, 2014 8:38 AM
>> *To:* Atlanta Linux Enthusiasts
>> *Subject:* Re: [ale] OpenSSL Broken, Upgrade Now
>>
>> If I run ssh -v user at host I see:
>>
>> OpenSSH_6.4, OpenSSL 1.0.1e-fips 11 Feb 2013
>> debug1: Reading configuration data /etc/ssh/ssh_config
>> debug1: /etc/ssh/ssh_config line 51: Applying options for *
>> ...
>>
>> So is OpenSSH _using_ OpenSSL for encryption processes?
>>
>> On Tue, Apr 15, 2014 at 1:07 PM, Jim Kinney <jim.kinney at gmail.com
>> <mailto:jim.kinney at gmail.com>> wrote:
>>
>> Heartbleed bug also affects android phones with Jelly Bean version
>>
>> http://www.theguardian.com/technology/2014/apr/15/heartbleed-android-phones-vulnerable-data-shows
>>
>> On Mon, Apr 7, 2014 at 7:14 PM, David Tomaschik
>> <david at systemoverlord.com <mailto:david at systemoverlord.com>> wrote:
>>
>> TL;DR: Upgrade OpenSSL to >= 1.0.1g immediately, consider
>> replacing keys. Not as bad as Debian OpenSSL bug, but worse than
>> "goto fail;".
>>
>> "The Heartbleed Bug is a serious vulnerability in the popular
>> OpenSSL cryptographic software library. This weakness allows
>> stealing the information protected, under normal conditions, by
>> the SSL/TLS encryption used to secure the Internet. SSL/TLS
>> provides communication security and privacy over the Internet for
>> applications such as web, email, instant messaging (IM) and some
>> virtual private networks (VPNs).
>>
>> The Heartbleed bug allows anyone on the Internet to read the
>> memory of the systems protected by the vulnerable versions of the
>> OpenSSL software. This compromises the secret keys used to
>> identify the service providers and to encrypt the traffic, the
>> names and passwords of the users and the actual content. This
>> allows attackers to eavesdrop communications, steal data directly
>> from the services and users and to impersonate services and users."
>>
>> http://heartbleed.com
>>
>> --
>> David Tomaschik
>> OpenPGP: 0x5DEA789B
>> http://systemoverlord.com
>> david at systemoverlord.com <mailto:david at systemoverlord.com>
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org <mailto:Ale at ale.org>
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>>
>>
>>
>> --
>>
>> --
>> James P. Kinney III
>> /
>> /Every time you stop a school, you will have to build a jail. What
>> you gain at one end you lose at the other. It's like feeding a dog on
>> his own tail. It won't fatten the dog.
>> - Speech 11/23/1900 Mark Twain
>> /
>> http://heretothereideas.blogspot.com//
>>
>>
>>
>>
>> --
>>
>> --
>> James P. Kinney III
>> /
>> /Every time you stop a school, you will have to build a jail. What
>> you gain at one end you lose at the other. It's like feeding a dog on
>> his own tail. It won't fatten the dog.
>> - Speech 11/23/1900 Mark Twain
>> /
>> http://heretothereideas.blogspot.com//
>>
>> Athena®, Created for the Cause™
>>
>> Making a Difference in the Fight Against Breast Cancer
>>
>> ---------------------------------
>> CONFIDENTIALITY NOTICE: This e-mail may contain privileged or
>> confidential information and is for the sole use of the intended
>> recipient(s). If you are not the intended recipient, any disclosure,
>> copying, distribution, or use of the contents of this information is
>> prohibited and may be unlawful. If you have received this electronic
>> transmission in error, please reply immediately to the sender that
>> you have received the message in error, and delete it. Thank you.
>> ----------------------------------
>>
>>
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>
>
> --
> Paul Cartwright
> Registered Linux User #367800 and new counter #561587
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
--
Jay Lozier
jslozier at gmail.com
_______________________________________________
Ale mailing list
Ale at ale.org
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
More information about the Ale
mailing list