From owner-freebsd-security@FreeBSD.ORG Sat Apr 26 10:25:13 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 29B4CDD0 for ; Sat, 26 Apr 2014 10:25:13 +0000 (UTC) Received: from tensor.andric.com (tensor.andric.com [IPv6:2001:7b8:3a7:1:2d0:b7ff:fea0:8c26]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "tensor.andric.com", Issuer "CAcert Class 3 Root" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id DA1751B84 for ; Sat, 26 Apr 2014 10:25:12 +0000 (UTC) Received: from [IPv6:2001:7b8:3a7::92d:ba2d:3c64:ddd2] (unknown [IPv6:2001:7b8:3a7:0:92d:ba2d:3c64:ddd2]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by tensor.andric.com (Postfix) with ESMTPSA id CA1DB5C44; Sat, 26 Apr 2014 12:25:08 +0200 (CEST) Content-Type: multipart/signed; boundary="Apple-Mail=_4312382A-7049-4883-A9E6-5BEAC11EBEFC"; protocol="application/pgp-signature"; micalg=pgp-sha1 Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) Subject: Re: am I NOT hacked? From: Dimitry Andric In-Reply-To: Date: Sat, 26 Apr 2014 12:24:51 +0200 Message-Id: <039246EB-21D1-48C1-9D59-F3C9F8D8C74D@FreeBSD.org> References: To: Joe Parsons X-Mailer: Apple Mail (2.1874) X-Mailman-Approved-At: Sat, 26 Apr 2014 12:18:47 +0000 Cc: "freebsd-security@freebsd.org" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Apr 2014 10:25:13 -0000 --Apple-Mail=_4312382A-7049-4883-A9E6-5BEAC11EBEFC Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On 26 Apr 2014, at 11:55, Joe Parsons wrote: > I was slow to patch my multiple vms after that heartbleed disclosure. = I just managed to upgrade these systems to 9.2, and installed the = patched openssl, FreeBSD 9.x was never vulnerable to Heartbleed, as you can read in the security advisory (FreeBSD-SA-14:06.openssl). This is because it still has OpenSSL 0.9.8, and the feature that contains the Heartbleed problem was only implemented after OpenSSL 1.0. That said, the advisory also contained another OpenSSL security problem, CVE-2014-0076, but that was apparently found less earth-shattering than Heartbleed. So it is still a good idea to patch up your server(s) and check for irregularities. -Dimitry --Apple-Mail=_4312382A-7049-4883-A9E6-5BEAC11EBEFC Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) iEYEARECAAYFAlNbiYAACgkQsF6jCi4glqM5dACeIwuJ3dwz70PMnyjIO+tNhQyh AGQAn1wbsmgtJlPrgkrriTzhsCcb3sUE =EAmz -----END PGP SIGNATURE----- --Apple-Mail=_4312382A-7049-4883-A9E6-5BEAC11EBEFC--