Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed"

[Alain Hebert <ahebert () pubnix net>]

    Hi,

    I was wondering why most of my secure services didn't show up as
vulnerable...

-----

    It do not seems to affect those services that require a valid user
certificate.

    aka, in apache 2.2

        SSLVerifyClient Require
        SSLVerifyDepth 1 (up to 10)

    I couldn't find a way to use the HB before satisfying the verify.

    I might be wrong.
       
-----
Alain Hebert                                ahebert () pubnix net   
PubNIX Inc.        
50 boul. St-Charles
P.O. Box 26770     Beaconsfield, Quebec     H9W 6G7
Tel: 514-990-5911  http://www.pubnix.net    Fax: 514-990-9443

On 04/08/14 08:18, David Hubbard wrote:
> Don't forget to restart every daemon that was using the old library as
> well, or just reboot.
>
> -----Original Message-----
> From: Peter Kristolaitis [mailto:alter3d () alter3d ca]
> Sent: Tuesday, April 08, 2014 1:19 AM
> To: nanog () nanog org
> Subject: Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed"
>
> Not just run the updates -- all private keys should be changed too, on
> the assumption that they've been compromised already.  THAT is going to
> be the crappy part of this.
>
> - Pete
>
>
> On 4/8/2014 1:13 AM, David Hubbard wrote:
> > RHEL and CentOS both have patches out as of a couple hours ago, so run
>
> > those updates!  CentOS' mirrors do not all have it yet, so if you are
> > updating, make sure you get the
> > 1.0.1e-16.el6_5.7 version and not older.
> >
> > David
> >
> > -----Original Message-----
> > From: Paul Ferguson [mailto:fergdawgster () mykolab com]
> > Sent: Tuesday, April 08, 2014 1:07 AM
> > To: NANOG
> > Subject: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed"
> I'm really surprised no one has mentioned this here yet...
>
> FYI,
>
> - ferg
>
>
>
> Begin forwarded message:
>
> > > > From: Rich Kulawiec <rsk () gsp org> Subject: Serious bug in ubiquitous
> > > > OpenSSL library: "Heartbleed" Date: April 7, 2014 at 9:27:40 PM EDT
> > > >
> > > > This reaches across many versions of Linux and BSD and, I'd presume,
> > > > into some versions of operating systems based on them.
> > > > OpenSSL is used in web servers, mail servers, VPNs, and many other
> > > > places.
> > > >
> > > > Writeup: Heartbleed: Serious OpenSSL zero day vulnerability revealed
> > > > http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerabilit
> > > > y
> > > > -revealed-7000028166/
> > > >
> > > >   Technical details: Heartbleed Bug http://heartbleed.com/
> > > >
> > > > OpenSSL versions affected (from link just above):  OpenSSL 1.0.1
> > > > through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT
> > > > vulnerable (released today, April 7, 2014) OpenSSL 1.0.0 branch is
> > > > NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable
>
> >