Date: Fri, 11 Apr 2014 11:35:32 +0000 From: <sbremal@hotmail.com> To: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: CVE-2014-0160? Message-ID: <DUB126-W5BC501CB4B718B4504D74A9540@phx.gbl>
next in thread | raw e-mail | index | archive | help
Hello=0A= =0A= Could anyone comment this? Worry=2C not to worry=2C upgrade=2C upgrade to w= hat version?=0A= =0A= There are few contradicting information coming out in regards to the check = of my server related to the 'heartbleed' bug:=0A= =0A= 1. http://heartbleed.com/=0A= =0A= ...=0A= Status of different versions:=0A= =0A= --->=A0=A0=A0 OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable=0A= =A0=A0=A0 OpenSSL 1.0.1g is NOT vulnerable=0A= =A0=A0=A0 OpenSSL 1.0.0 branch is NOT vulnerable=0A= =A0=A0=A0 OpenSSL 0.9.8 branch is NOT vulnerable=0A= ...=0A= How about operating systems?=0A= =0A= Some operating system distributions that have shipped with potentially vuln= erable OpenSSL version:=0A= =0A= =A0=A0=A0 Debian Wheezy (stable)=2C OpenSSL 1.0.1e-2+deb7u4=0A= =A0=A0=A0 Ubuntu 12.04.4 LTS=2C OpenSSL 1.0.1-4ubuntu5.11=0A= =A0=A0=A0 CentOS 6.5=2C OpenSSL 1.0.1e-15=0A= =A0=A0=A0 Fedora 18=2C OpenSSL 1.0.1e-4=0A= =A0=A0=A0 OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c = 10 May 2012)=0A= --->=A0=A0=A0 FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013=0A= =A0=A0=A0 NetBSD 5.0.2 (OpenSSL 1.0.1e)=0A= =A0=A0=A0 OpenSUSE 12.2 (OpenSSL 1.0.1c)=0A= =0A= Operating system distribution with versions that are not vulnerable:=0A= =0A= =A0=A0=A0 Debian Squeeze (oldstable)=2C OpenSSL 0.9.8o-4squeeze14=0A= =A0=A0=A0 SUSE Linux Enterprise Server=0A= =A0=A0=A0 FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013=0A= =A0=A0=A0 FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013=0A= --->=A0=A0=A0 FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)= =0A= ...=0A= =0A= 2. lynx -dump -head http://localhost/=0A= =0A= HTTP/1.1 200 OK=0A= Date: Fri=2C 11 Apr 2014 08:10:11 GMT=0A= Server: Apache/2.2.26 (FreeBSD) PHP/5.4.24 SVN/1.7.14 mod_ssl/2.2.26=0A= ---> OpenSSL/1.0.1e-freebsd=0A= DAV/2 mod_python/3.3.1 Python/2.7.6 mod_perl/2.0.8 Perl/v5.16.3=0A= Last-Modified: Wed=2C 12 Feb 2014 13:29:34 GMT=0A= ETag: "278b56-2c-4f235903dcb80"=0A= Accept-Ranges: bytes=0A= Content-Length: 44=0A= Connection: close=0A= Content-Type: text/html=0A= =0A= 3. http://possible.lv/tools/hb/?domain=3Dxxx=0A= =0A= ext 65281 (renegotiation info=2C length=3D1)=0A= ext 00011 (EC point formats=2C length=3D4)=0A= ext 00035 (session ticket=2C length=3D0)=0A= ext 00015 (heartbeat=2C length=3D1) <-- Your server supports heartbeat. Bug= is possible when linking against OpenSSL 1.0.1f or older. Let me check.=0A= Actively checking if CVE-2014-0160 works: Server is vulnerable to all attac= ks tested=2C please upgrade software ASAP.=0A= =0A= 4. pkg audit=0A= =0A= 0 problem(s) in the installed packages found.=0A= =0A= =0A= Cheers=0A= B.=0A= =
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DUB126-W5BC501CB4B718B4504D74A9540>