From owner-freebsd-security@FreeBSD.ORG Fri Apr 11 12:54:37 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 633C1E80 for ; Fri, 11 Apr 2014 12:54:37 +0000 (UTC) Received: from dub0-omc3-s30.dub0.hotmail.com (dub0-omc3-s30.dub0.hotmail.com [157.55.2.39]) by mx1.freebsd.org (Postfix) with ESMTP id 07C34153E for ; Fri, 11 Apr 2014 12:54:36 +0000 (UTC) Received: from DUB126-W86 ([157.55.2.9]) by dub0-omc3-s30.dub0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Fri, 11 Apr 2014 05:53:29 -0700 X-TMN: [wIVIM942RMRG0jIFPs2lvyc1tMqhyZ+e] X-Originating-Email: [sbremal@hotmail.com] Message-ID: From: To: Mohacsi Janos Subject: RE: CVE-2014-0160? Date: Fri, 11 Apr 2014 12:53:29 +0000 Importance: Normal In-Reply-To: References: , Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginalArrivalTime: 11 Apr 2014 12:53:29.0669 (UTC) FILETIME=[09933F50:01CF5585] Cc: "freebsd-security@freebsd.org" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Apr 2014 12:54:37 -0000 ext 65281 (renegotiation info=2C length=3D1)=0A= ext 00011 (EC point formats=2C length=3D4)=0A= ext 00035 (session ticket=2C length=3D0)=0A= ext 00015 (heartbeat=2C length=3D1) <-- Your server supports heartbeat. Bug= is possible when linking against OpenSSL 1.0.1f or older. Let me check.=0A= Actively checking if CVE-2014-0160 works: Your server appears to be patched= against this bug.=0A= =0A= K=F6sz! =3B-)=0A= =0A= Is there any reason why nightly security patches are not enabled by default= in FreeBSD?=0A= =0A= =0A= Cheers=0A= B.=0A= =0A= ----------------------------------------=0A= > Date: Fri=2C 11 Apr 2014 13:46:10 +0200=0A= > From: mohacsi@niif.hu=0A= > To: sbremal@hotmail.com=0A= > CC: freebsd-security@freebsd.org=0A= > Subject: Re: CVE-2014-0160?=0A= >=0A= >=0A= >=0A= > On Fri=2C 11 Apr 2014=2C sbremal@hotmail.com wrote:=0A= >=0A= >> Hello=0A= >>=0A= >> Could anyone comment this? Worry=2C not to worry=2C upgrade=2C upgrade t= o what version?=0A= >>=0A= >> There are few contradicting information coming out in regards to the che= ck of my server related to the 'heartbleed' bug:=0A= >>=0A= >> 1. http://heartbleed.com/=0A= >>=0A= >> ...=0A= >> Status of different versions:=0A= >>=0A= >> ---> OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable=0A= >> OpenSSL 1.0.1g is NOT vulnerable=0A= >> OpenSSL 1.0.0 branch is NOT vulnerable=0A= >> OpenSSL 0.9.8 branch is NOT vulnerable=0A= >> ...=0A= >> How about operating systems?=0A= >>=0A= >> Some operating system distributions that have shipped with potentially v= ulnerable OpenSSL version:=0A= >>=0A= >> Debian Wheezy (stable)=2C OpenSSL 1.0.1e-2+deb7u4=0A= >> Ubuntu 12.04.4 LTS=2C OpenSSL 1.0.1-4ubuntu5.11=0A= >> CentOS 6.5=2C OpenSSL 1.0.1e-15=0A= >> Fedora 18=2C OpenSSL 1.0.1e-4=0A= >> OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 = May 2012)=0A= >> ---> FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013=0A= >> NetBSD 5.0.2 (OpenSSL 1.0.1e)=0A= >> OpenSUSE 12.2 (OpenSSL 1.0.1c)=0A= >=0A= > Consult:=0A= >=0A= > http://www.freebsd.org/security/advisories.html=0A= > and=0A= > http://www.freebsd.org/security/advisories/FreeBSD-SA-14:06.openssl.asc= =0A= >=0A= >=0A= >>=0A= >> Operating system distribution with versions that are not vulnerable:=0A= >>=0A= >> Debian Squeeze (oldstable)=2C OpenSSL 0.9.8o-4squeeze14=0A= >> SUSE Linux Enterprise Server=0A= >> FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013=0A= >> FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013=0A= >> ---> FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)=0A= >=0A= > Freebsd ports updated:=0A= > http://svnweb.freebsd.org/ports/head/security/openssl/=0A= >=0A= >> ...=0A= >>=0A= >> 2. lynx -dump -head http://localhost/=0A= >>=0A= >> HTTP/1.1 200 OK=0A= >> Date: Fri=2C 11 Apr 2014 08:10:11 GMT=0A= >> Server: Apache/2.2.26 (FreeBSD) PHP/5.4.24 SVN/1.7.14 mod_ssl/2.2.26=0A= >> ---> OpenSSL/1.0.1e-freebsd=0A= >> DAV/2 mod_python/3.3.1 Python/2.7.6 mod_perl/2.0.8 Perl/v5.16.3=0A= >> Last-Modified: Wed=2C 12 Feb 2014 13:29:34 GMT=0A= >> ETag: "278b56-2c-4f235903dcb80"=0A= >> Accept-Ranges: bytes=0A= >> Content-Length: 44=0A= >> Connection: close=0A= >> Content-Type: text/html=0A= >>=0A= >> 3. http://possible.lv/tools/hb/?domain=3Dxxx=0A= >>=0A= >> ext 65281 (renegotiation info=2C length=3D1)=0A= >> ext 00011 (EC point formats=2C length=3D4)=0A= >> ext 00035 (session ticket=2C length=3D0)=0A= >> ext 00015 (heartbeat=2C length=3D1) <-- Your server supports heartbeat. = Bug is possible when linking against OpenSSL 1.0.1f or older. Let me check.= =0A= >> Actively checking if CVE-2014-0160 works: Server is vulnerable to all at= tacks tested=2C please upgrade software ASAP.=0A= >>=0A= >> 4. pkg audit=0A= >>=0A= >> 0 problem(s) in the installed packages found.=0A= >=0A= > Probably you use openssl form base system not from packages.=0A= >=0A= >=0A= >>=0A= >>=0A= >> Cheers=0A= >> B.=0A= >>=0A= >> _______________________________________________=0A= >> freebsd-security@freebsd.org mailing list=0A= >> http://lists.freebsd.org/mailman/listinfo/freebsd-security=0A= >> To unsubscribe=2C send any mail to "freebsd-security-unsubscribe@freebsd= .org"=0A= >>=0A= =