[ale] OpenSSL Broken, Upgrade Now

Jim Kinney jim.kinney at gmail.com
Wed Apr 16 15:08:02 EDT 2014


ditto with fedora. The patched version is 1.0.1e-37.f19.1  <- it's the .1
that matters here.


On Wed, Apr 16, 2014 at 10:34 AM, Beddingfield, Allen <allen at ua.edu> wrote:

> You can't necessarily go by the version #, though.  For example, Red Hat
>  backported the fix into the version they shipped with the OS, instead of
> incrementing the version #.
> Allen B.
> --
> Allen Beddingfield
> Systems Engineer
> The University of Alabama
>
> ________________________________________
> From: ale-bounces at ale.org [ale-bounces at ale.org] on behalf of Jay Lozier [
> jslozier at gmail.com]
> Sent: Wednesday, April 16, 2014 9:32 AM
> To: ale at ale.org
> Subject: Re: [ale] OpenSSL Broken, Upgrade Now
>
> Hi
>
> I believe the patched version is OpenSSL 1.0.1g 7 Apr 2014
>
> Jay
> On 04/16/2014 10:24 AM, Paul Cartwright wrote:
> > I ran that and also got the same:
> > openssl
> > OpenSSL> version
> > OpenSSL 1.0.1e-fips 11 Feb 2013
> >
> > openssl.x86_64 1:1.0.1e-37.fc20.1 @updates
> > openssl-libs.i686 1:1.0.1e-37.fc20.1 @updates
> > openssl-libs.x86_64 1:1.0.1e-37.fc20.1 @update
> >
> >
> > but I just got an updated openssl recently..
> >>
> >> Yes and it is using the affected version. You need to patch.
> >>
> >> You can figure out your version of openssl by:
> >>
> >> Typing “openssl”
> >>
> >> At prompt type “version”.
> >>
> >> *From:*ale-bounces at ale.org [mailto:ale-bounces at ale.org] *On Behalf Of
> >> *Jim Kinney
> >> *Sent:* Wednesday, April 16, 2014 8:38 AM
> >> *To:* Atlanta Linux Enthusiasts
> >> *Subject:* Re: [ale] OpenSSL Broken, Upgrade Now
> >>
> >> If I run ssh -v user at host I see:
> >>
> >> OpenSSH_6.4, OpenSSL 1.0.1e-fips 11 Feb 2013
> >> debug1: Reading configuration data /etc/ssh/ssh_config
> >> debug1: /etc/ssh/ssh_config line 51: Applying options for *
> >> ...
> >>
> >> So is OpenSSH _using_ OpenSSL for encryption processes?
> >>
> >> On Tue, Apr 15, 2014 at 1:07 PM, Jim Kinney <jim.kinney at gmail.com
> >> <mailto:jim.kinney at gmail.com>> wrote:
> >>
> >> Heartbleed bug also affects android phones with Jelly Bean version
> >>
> >>
> http://www.theguardian.com/technology/2014/apr/15/heartbleed-android-phones-vulnerable-data-shows
> >>
> >> On Mon, Apr 7, 2014 at 7:14 PM, David Tomaschik
> >> <david at systemoverlord.com <mailto:david at systemoverlord.com>> wrote:
> >>
> >>     TL;DR: Upgrade OpenSSL to >= 1.0.1g immediately, consider
> >>     replacing keys. Not as bad as Debian OpenSSL bug, but worse than
> >>     "goto fail;".
> >>
> >>     "The Heartbleed Bug is a serious vulnerability in the popular
> >>     OpenSSL cryptographic software library. This weakness allows
> >>     stealing the information protected, under normal conditions, by
> >>     the SSL/TLS encryption used to secure the Internet. SSL/TLS
> >>     provides communication security and privacy over the Internet for
> >>     applications such as web, email, instant messaging (IM) and some
> >>     virtual private networks (VPNs).
> >>
> >>     The Heartbleed bug allows anyone on the Internet to read the
> >>     memory of the systems protected by the vulnerable versions of the
> >>     OpenSSL software. This compromises the secret keys used to
> >>     identify the service providers and to encrypt the traffic, the
> >>     names and passwords of the users and the actual content. This
> >>     allows attackers to eavesdrop communications, steal data directly
> >>     from the services and users and to impersonate services and users."
> >>
> >>     http://heartbleed.com
> >>
> >>     --
> >>     David Tomaschik
> >>     OpenPGP: 0x5DEA789B
> >>     http://systemoverlord.com
> >>     david at systemoverlord.com <mailto:david at systemoverlord.com>
> >>
> >>     _______________________________________________
> >>     Ale mailing list
> >>     Ale at ale.org <mailto:Ale at ale.org>
> >>     http://mail.ale.org/mailman/listinfo/ale
> >>     See JOBS, ANNOUNCE and SCHOOLS lists at
> >>     http://mail.ale.org/mailman/listinfo
> >>
> >>
> >>
> >>
> >> --
> >>
> >> --
> >> James P. Kinney III
> >> /
> >> /Every time you stop a school, you will have to build a jail. What
> >> you gain at one end you lose at the other. It's like feeding a dog on
> >> his own tail. It won't fatten the dog.
> >> - Speech 11/23/1900 Mark Twain
> >> /
> >> http://heretothereideas.blogspot.com//
> >>
> >>
> >>
> >>
> >> --
> >>
> >> --
> >> James P. Kinney III
> >> /
> >> /Every time you stop a school, you will have to build a jail. What
> >> you gain at one end you lose at the other. It's like feeding a dog on
> >> his own tail. It won't fatten the dog.
> >> - Speech 11/23/1900 Mark Twain
> >> /
> >> http://heretothereideas.blogspot.com//
> >>
> >> Athena®, Created for the Cause™
> >>
> >> Making a Difference in the Fight Against Breast Cancer
> >>
> >> ---------------------------------
> >> CONFIDENTIALITY NOTICE: This e-mail may contain privileged or
> >> confidential information and is for the sole use of the intended
> >> recipient(s). If you are not the intended recipient, any disclosure,
> >> copying, distribution, or use of the contents of this information is
> >> prohibited and may be unlawful. If you have received this electronic
> >> transmission in error, please reply immediately to the sender that
> >> you have received the message in error, and delete it. Thank you.
> >> ----------------------------------
> >>
> >>
> >>
> >> _______________________________________________
> >> Ale mailing list
> >> Ale at ale.org
> >> http://mail.ale.org/mailman/listinfo/ale
> >> See JOBS, ANNOUNCE and SCHOOLS lists at
> >> http://mail.ale.org/mailman/listinfo
> >
> >
> > --
> > Paul Cartwright
> > Registered Linux User #367800 and new counter #561587
> >
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
>
> --
> Jay Lozier
> jslozier at gmail.com
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>



-- 
-- 
James P. Kinney III

Every time you stop a school, you will have to build a jail. What you gain
at one end you lose at the other. It's like feeding a dog on his own tail.
It won't fatten the dog.
- Speech 11/23/1900 Mark Twain


*http://heretothereideas.blogspot.com/
<http://heretothereideas.blogspot.com/>*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20140416/e2b1eef1/attachment-0001.html>


More information about the Ale mailing list