Date: Fri, 11 Apr 2014 12:53:29 +0000 From: <sbremal@hotmail.com> To: Mohacsi Janos <mohacsi@niif.hu> Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: RE: CVE-2014-0160? Message-ID: <DUB126-W864CD6C2BD872D72C58222A9540@phx.gbl> In-Reply-To: <alpine.DEB.2.00.1404111341450.13520@strudel.ki.iif.hu> References: <DUB126-W5BC501CB4B718B4504D74A9540@phx.gbl>, <alpine.DEB.2.00.1404111341450.13520@strudel.ki.iif.hu>
next in thread | previous in thread | raw e-mail | index | archive | help
ext 65281 (renegotiation info, length=1) ext 00011 (EC point formats, length=4) ext 00035 (session ticket, length=0) ext 00015 (heartbeat, length=1) <-- Your server supports heartbeat. Bug is possible when linking against OpenSSL 1.0.1f or older. Let me check. Actively checking if CVE-2014-0160 works: Your server appears to be patched against this bug. Kösz! ;-) Is there any reason why nightly security patches are not enabled by default in FreeBSD? Cheers B. ---------------------------------------- > Date: Fri, 11 Apr 2014 13:46:10 +0200 > From: mohacsi@niif.hu > To: sbremal@hotmail.com > CC: freebsd-security@freebsd.org > Subject: Re: CVE-2014-0160? > > > > On Fri, 11 Apr 2014, sbremal@hotmail.com wrote: > >> Hello >> >> Could anyone comment this? Worry, not to worry, upgrade, upgrade to what version? >> >> There are few contradicting information coming out in regards to the check of my server related to the 'heartbleed' bug: >> >> 1. http://heartbleed.com/ >> >> ... >> Status of different versions: >> >> ---> OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable >> OpenSSL 1.0.1g is NOT vulnerable >> OpenSSL 1.0.0 branch is NOT vulnerable >> OpenSSL 0.9.8 branch is NOT vulnerable >> ... >> How about operating systems? >> >> Some operating system distributions that have shipped with potentially vulnerable OpenSSL version: >> >> Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4 >> Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11 >> CentOS 6.5, OpenSSL 1.0.1e-15 >> Fedora 18, OpenSSL 1.0.1e-4 >> OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012) >> ---> FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013 >> NetBSD 5.0.2 (OpenSSL 1.0.1e) >> OpenSUSE 12.2 (OpenSSL 1.0.1c) > > Consult: > > http://www.freebsd.org/security/advisories.html > and > http://www.freebsd.org/security/advisories/FreeBSD-SA-14:06.openssl.asc > > >> >> Operating system distribution with versions that are not vulnerable: >> >> Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14 >> SUSE Linux Enterprise Server >> FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013 >> FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013 >> ---> FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC) > > Freebsd ports updated: > http://svnweb.freebsd.org/ports/head/security/openssl/ > >> ... >> >> 2. lynx -dump -head http://localhost/ >> >> HTTP/1.1 200 OK >> Date: Fri, 11 Apr 2014 08:10:11 GMT >> Server: Apache/2.2.26 (FreeBSD) PHP/5.4.24 SVN/1.7.14 mod_ssl/2.2.26 >> ---> OpenSSL/1.0.1e-freebsd >> DAV/2 mod_python/3.3.1 Python/2.7.6 mod_perl/2.0.8 Perl/v5.16.3 >> Last-Modified: Wed, 12 Feb 2014 13:29:34 GMT >> ETag: "278b56-2c-4f235903dcb80" >> Accept-Ranges: bytes >> Content-Length: 44 >> Connection: close >> Content-Type: text/html >> >> 3. http://possible.lv/tools/hb/?domain=xxx >> >> ext 65281 (renegotiation info, length=1) >> ext 00011 (EC point formats, length=4) >> ext 00035 (session ticket, length=0) >> ext 00015 (heartbeat, length=1) <-- Your server supports heartbeat. Bug is possible when linking against OpenSSL 1.0.1f or older. Let me check. >> Actively checking if CVE-2014-0160 works: Server is vulnerable to all attacks tested, please upgrade software ASAP. >> >> 4. pkg audit >> >> 0 problem(s) in the installed packages found. > > Probably you use openssl form base system not from packages. > > >> >> >> Cheers >> B. >> >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DUB126-W864CD6C2BD872D72C58222A9540>