Hi, I was wondering why most of my secure services didn't show up as vulnerable... ----- It do not seems to affect those services that require a valid user certificate. aka, in apache 2.2 SSLVerifyClient Require SSLVerifyDepth 1 (up to 10) I couldn't find a way to use the HB before satisfying the verify. I might be wrong. ----- Alain Hebert ahebert@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 On 04/08/14 08:18, David Hubbard wrote:
Don't forget to restart every daemon that was using the old library as well, or just reboot.
-----Original Message----- From: Peter Kristolaitis [mailto:alter3d@alter3d.ca] Sent: Tuesday, April 08, 2014 1:19 AM To: nanog@nanog.org Subject: Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed"
Not just run the updates -- all private keys should be changed too, on the assumption that they've been compromised already. THAT is going to be the crappy part of this.
- Pete
On 4/8/2014 1:13 AM, David Hubbard wrote:
RHEL and CentOS both have patches out as of a couple hours ago, so run
those updates! CentOS' mirrors do not all have it yet, so if you are updating, make sure you get the 1.0.1e-16.el6_5.7 version and not older.
David
-----Original Message----- From: Paul Ferguson [mailto:fergdawgster@mykolab.com] Sent: Tuesday, April 08, 2014 1:07 AM To: NANOG Subject: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed"
I'm really surprised no one has mentioned this here yet...
FYI,
- ferg
Begin forwarded message:
From: Rich Kulawiec <rsk@gsp.org> Subject: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Date: April 7, 2014 at 9:27:40 PM EDT
This reaches across many versions of Linux and BSD and, I'd presume, into some versions of operating systems based on them. OpenSSL is used in web servers, mail servers, VPNs, and many other places.
Writeup: Heartbleed: Serious OpenSSL zero day vulnerability revealed http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerabilit y -revealed-7000028166/
Technical details: Heartbleed Bug http://heartbleed.com/
OpenSSL versions affected (from link just above): OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT vulnerable (released today, April 7, 2014) OpenSSL 1.0.0 branch is NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable