[ale] OpenSSL Broken, Upgrade Now
David Tomaschik
david at systemoverlord.com
Thu Apr 17 00:56:27 EDT 2014
On Wed, Apr 16, 2014 at 5:36 AM, Jim Kinney <jim.kinney at gmail.com> wrote:
> If I run ssh -v user at host I see:
>
> OpenSSH_6.4, OpenSSL 1.0.1e-fips 11 Feb 2013
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: /etc/ssh/ssh_config line 51: Applying options for *
> ...
>
> So is OpenSSH _using_ OpenSSL for encryption processes?
>
Yes, but OpenSSH is not vulnerable to Heartbleed.
OpenSSH uses OpenSSL for cryptographic primatives, but OpenSSH does not use
TLS. Heartbleed is a vulnerability in the TLS implementation within
OpenSSL; specifically, an error in processing incoming TLS messages. Since
OpenSSH doesn't use TLS, it doesn't process TLS messages, so there's no
risk from Heartbleed.
>
>
> On Tue, Apr 15, 2014 at 1:07 PM, Jim Kinney <jim.kinney at gmail.com> wrote:
>
>> Heartbleed bug also affects android phones with Jelly Bean version
>>
>>
>> http://www.theguardian.com/technology/2014/apr/15/heartbleed-android-phones-vulnerable-data-shows
>>
>>
>> On Mon, Apr 7, 2014 at 7:14 PM, David Tomaschik <david at systemoverlord.com
>> > wrote:
>>
>>> TL;DR: Upgrade OpenSSL to >= 1.0.1g immediately, consider replacing
>>> keys. Not as bad as Debian OpenSSL bug, but worse than "goto fail;".
>>>
>>> "The Heartbleed Bug is a serious vulnerability in the popular OpenSSL
>>> cryptographic software library. This weakness allows stealing the
>>> information protected, under normal conditions, by the SSL/TLS encryption
>>> used to secure the Internet. SSL/TLS provides communication security and
>>> privacy over the Internet for applications such as web, email, instant
>>> messaging (IM) and some virtual private networks (VPNs).
>>>
>>> The Heartbleed bug allows anyone on the Internet to read the memory of
>>> the systems protected by the vulnerable versions of the OpenSSL software.
>>> This compromises the secret keys used to identify the service providers and
>>> to encrypt the traffic, the names and passwords of the users and the actual
>>> content. This allows attackers to eavesdrop communications, steal data
>>> directly from the services and users and to impersonate services and users."
>>>
>>> http://heartbleed.com
>>>
>>> --
>>> David Tomaschik
>>> OpenPGP: 0x5DEA789B
>>> http://systemoverlord.com
>>> david at systemoverlord.com
>>>
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> http://mail.ale.org/mailman/listinfo/ale
>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>> http://mail.ale.org/mailman/listinfo
>>>
>>>
>>
>>
>> --
>> --
>> James P. Kinney III
>>
>> Every time you stop a school, you will have to build a jail. What you
>> gain at one end you lose at the other. It's like feeding a dog on his own
>> tail. It won't fatten the dog.
>> - Speech 11/23/1900 Mark Twain
>>
>>
>> *http://heretothereideas.blogspot.com/
>> <http://heretothereideas.blogspot.com/>*
>>
>
>
>
> --
> --
> James P. Kinney III
>
> Every time you stop a school, you will have to build a jail. What you gain
> at one end you lose at the other. It's like feeding a dog on his own tail.
> It won't fatten the dog.
> - Speech 11/23/1900 Mark Twain
>
>
> *http://heretothereideas.blogspot.com/
> <http://heretothereideas.blogspot.com/>*
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
--
David Tomaschik
OpenPGP: 0x5DEA789B
http://systemoverlord.com
david at systemoverlord.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20140416/ae71a6e4/attachment-0001.html>
More information about the Ale
mailing list