[ale] OpenSSL Broken, Upgrade Now

Jim Kinney jim.kinney at gmail.com
Thu Apr 17 10:14:48 EDT 2014


On Thu, Apr 17, 2014 at 12:56 AM, David Tomaschik
<david at systemoverlord.com>wrote:

> On Wed, Apr 16, 2014 at 5:36 AM, Jim Kinney <jim.kinney at gmail.com> wrote:
>
>> If I run ssh -v user at host  I see:
>>
>> OpenSSH_6.4, OpenSSL 1.0.1e-fips 11 Feb 2013
>> debug1: Reading configuration data /etc/ssh/ssh_config
>> debug1: /etc/ssh/ssh_config line 51: Applying options for *
>> ...
>>
>> So is OpenSSH _using_ OpenSSL for encryption processes?
>>
>
> Yes, but OpenSSH is not vulnerable to Heartbleed.
>
> OpenSSH uses OpenSSL for cryptographic primatives, but OpenSSH does not
> use TLS.  Heartbleed is a vulnerability in the TLS implementation within
> OpenSSL; specifically, an error in processing incoming TLS messages.  Since
> OpenSSH doesn't use TLS, it doesn't process TLS messages, so there's no
> risk from Heartbleed.
>
>
>>
>> Thanks! So ssh uses it's own heartbeat function and not the one in
OpenSSL which has the massive leak.

>
>> On Tue, Apr 15, 2014 at 1:07 PM, Jim Kinney <jim.kinney at gmail.com> wrote:
>>
>>> Heartbleed bug also affects android phones with Jelly Bean version
>>>
>>>
>>> http://www.theguardian.com/technology/2014/apr/15/heartbleed-android-phones-vulnerable-data-shows
>>>
>>>
>>> On Mon, Apr 7, 2014 at 7:14 PM, David Tomaschik <
>>> david at systemoverlord.com> wrote:
>>>
>>>> TL;DR: Upgrade OpenSSL to >= 1.0.1g immediately, consider replacing
>>>> keys.  Not as bad as Debian OpenSSL bug, but worse than "goto fail;".
>>>>
>>>> "The Heartbleed Bug is a serious vulnerability in the popular OpenSSL
>>>> cryptographic software library. This weakness allows stealing the
>>>> information protected, under normal conditions, by the SSL/TLS encryption
>>>> used to secure the Internet. SSL/TLS provides communication security and
>>>> privacy over the Internet for applications such as web, email, instant
>>>> messaging (IM) and some virtual private networks (VPNs).
>>>>
>>>> The Heartbleed bug allows anyone on the Internet to read the memory of
>>>> the systems protected by the vulnerable versions of the OpenSSL software.
>>>> This compromises the secret keys used to identify the service providers and
>>>> to encrypt the traffic, the names and passwords of the users and the actual
>>>> content. This allows attackers to eavesdrop communications, steal data
>>>> directly from the services and users and to impersonate services and users."
>>>>
>>>> http://heartbleed.com
>>>>
>>>> --
>>>> David Tomaschik
>>>> OpenPGP: 0x5DEA789B
>>>> http://systemoverlord.com
>>>> david at systemoverlord.com
>>>>
>>>> _______________________________________________
>>>> Ale mailing list
>>>> Ale at ale.org
>>>> http://mail.ale.org/mailman/listinfo/ale
>>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>>> http://mail.ale.org/mailman/listinfo
>>>>
>>>>
>>>
>>>
>>> --
>>> --
>>> James P. Kinney III
>>>
>>> Every time you stop a school, you will have to build a jail. What you
>>> gain at one end you lose at the other. It's like feeding a dog on his own
>>> tail. It won't fatten the dog.
>>> - Speech 11/23/1900 Mark Twain
>>>
>>>
>>> *http://heretothereideas.blogspot.com/
>>> <http://heretothereideas.blogspot.com/>*
>>>
>>
>>
>>
>> --
>> --
>> James P. Kinney III
>>
>> Every time you stop a school, you will have to build a jail. What you
>> gain at one end you lose at the other. It's like feeding a dog on his own
>> tail. It won't fatten the dog.
>> - Speech 11/23/1900 Mark Twain
>>
>>
>> *http://heretothereideas.blogspot.com/
>> <http://heretothereideas.blogspot.com/>*
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>>
>
>
> --
> David Tomaschik
> OpenPGP: 0x5DEA789B
> http://systemoverlord.com
> david at systemoverlord.com
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>


-- 
-- 
James P. Kinney III

Every time you stop a school, you will have to build a jail. What you gain
at one end you lose at the other. It's like feeding a dog on his own tail.
It won't fatten the dog.
- Speech 11/23/1900 Mark Twain


*http://heretothereideas.blogspot.com/
<http://heretothereideas.blogspot.com/>*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20140417/aa4c4e27/attachment.html>


More information about the Ale mailing list