From owner-freebsd-security@FreeBSD.ORG Sat Apr 26 18:18:19 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 997F1AB0 for ; Sat, 26 Apr 2014 18:18:19 +0000 (UTC) Received: from bay0-omc3-s26.bay0.hotmail.com (bay0-omc3-s26.bay0.hotmail.com [65.54.190.164]) by mx1.freebsd.org (Postfix) with ESMTP id 82F0B15CB for ; Sat, 26 Apr 2014 18:18:19 +0000 (UTC) Received: from BAY180-W19 ([65.54.190.188]) by bay0-omc3-s26.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Sat, 26 Apr 2014 11:17:13 -0700 X-TMN: [/vm6nAJmVI3tT5P6OEBaR4KHJ/SFOwbT] X-Originating-Email: [jp4314@outlook.com] Message-ID: From: Joe Parsons To: "freebsd-security@freebsd.org" Subject: RE: am I NOT hacked? Date: Sat, 26 Apr 2014 14:17:13 -0400 Importance: Normal In-Reply-To: References: , , , MIME-Version: 1.0 X-OriginalArrivalTime: 26 Apr 2014 18:17:13.0822 (UTC) FILETIME=[BF7807E0:01CF617B] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.17 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Apr 2014 18:18:19 -0000 Sorry=2C one paragraph of my last reply appears to be screwed up on the web= archive. You can ignore that reply and just read the following. I'm sor= ry for the confusion. =20 =20 =20 Ok=2C thanks a lot for all your kind help. I learned the pwd_mkdb manpage = and the databases as you suggested.=0D =20 To clarify=2C I understand 9.1 kernel contains the non-vulnerable version o= f openssl library=2C hence mere apache/https is not vulnerable. However th= e vulnerable openssl port is installed for the mail software to provide ima= ps/pops/smtps services=2C so they are vulnerable.=0D =20 The following reply is what I'm confused:=0D =20 > In any case=2C heartbleed does *not* facilitate remote code execution or= =0D > code injection=2C only information retrieval=2C so unless your passwords= =0D > were stored in cleartext (or a weakly hashed form) in the memory of an=0D > Internet-facing SSL-enabled service (such as https=2C smtp with STARTTLS= =0D > or imaps=2C but not ssh)=2C you cannot have been "hacked" as a consequenc= e=0D > of heartbleed.=0D =20 I ssh into the system=2C and I /usr/bin/su to become root. Do my shell pas= swords show up in in clear text in the memory briefly=2C so the attacker co= uld happen to harvest them? In another word=2C on a system with the vulner= able openssl port=2C do we need to change the shell password for root and o= ther users=2C if these passwords are ONLY used in ssh and /usr/bin/su ?=0D =20 I googled and found few result=2C almost all are focused on changing user m= ail passwords and server certificates. Only found this page said they chan= ged server root password:=0D =20 http://digitalopera.com/geek-rants/what-were-doing-to-combat-heartbleed/=0D =20 Thanks=2C Joe =