Announcement

Collapse
No announcement yet.

The OpenSSL Heartbleed Bug Strikes The Internet

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • The OpenSSL Heartbleed Bug Strikes The Internet

    Phoronix: The OpenSSL Heartbleed Bug Strikes The Internet

    As many Phoronix readers have already reported in, a very serious OpenSSL security vulnerability was discovered that allows for attackers to read memory in 64k memory chunks. A very serious bug in OpenSSL 1.0.1/1.0.2-beta is leaking information since the bug's introduction in 2011...

    http://www.phoronix.com/vr.php?view=MTY1ODE

  • #2
    A lot of fanboys told us to use OpenSSL when a vulnerability in GnuTLS was found. I hope this shut them up. Software is never perfect.

    Comment


    • #3
      Regardless of what happened in the GnuTLS thread, this is bad news. I've already updated my work machine, but this is going to impact a lot of businesses/sites/certificates and also users. I suspect I'm in for another round of full password changes.

      Comment


      • #4
        Updates which address this security vulnerability are now available in the Ubuntu repositories for all supported versions of Ubuntu.

        Comment


        • #5
          Originally posted by madbiologist View Post
          Updates which address this security vulnerability are now available in the Ubuntu repositories for all supported versions of Ubuntu.
          people said ubuntu delivered the patch and indeed last night my mint 16 installation received an openssl update. however when i type: openssl version -a . I get


          OpenSSL 1.0.1e 11 Feb 2013
          built on: Mon Apr 7 20:33:19 UTC 2014
          platform: debian-amd64

          ^

          My laptop is also running mint 14 and gets

          something similar but the version is 1.0.1c

          Im getting the feeling that 1.0.1g is the patched version ?

          So I tried manually adding the g version but the make file didn't work properly. Is there a PPA for this to get the latest version ?

          Thanks

          Comment


          • #6
            Originally posted by phill1978 View Post
            OpenSSL 1.0.1e 11 Feb 2013
            built on: Mon Apr 7 20:33:19 UTC 2014
            {...}
            something similar but the version is 1.0.1c
            {...}
            Im getting the feeling that 1.0.1g is the patched version ?
            - 1.0.1g is the official OpenSSL version which doesn't have the vulnerability.

            What Debian, Ubuntu, Mint, and many other distribution are providing you, is an update of openssl, still the exact same version as before (so no change from whatever was there before to 1.0.1g, and thus no incompatibility problems due to changing versions) but with a patch against "heartbleed" applied in.

            Hence the version string you're getting: this 1.0.1e version was compiled just a few hours ago, with probably the patch applied.
            (More information, see the Security Update page from your distribution. For example for Debian and openSUSE. I'm sure your Ubuntu and Mint should have similar sources of information.)

            Comment


            • #7
              Originally posted by DrYak View Post
              - 1.0.1g is the official OpenSSL version which doesn't have the vulnerability.

              What Debian, Ubuntu, Mint, and many other distribution are providing you, is an update of openssl, still the exact same version as before (so no change from whatever was there before to 1.0.1g, and thus no incompatibility problems due to changing versions) but with a patch against "heartbleed" applied in.

              Hence the version string you're getting: this 1.0.1e version was compiled just a few hours ago, with probably the patch applied.
              (More information, see the Security Update page from your distribution. For example for Debian and openSUSE. I'm sure your Ubuntu and Mint should have similar sources of information.)
              thanks for the reply

              Comment


              • #8
                Joke's on you, I'm still on 0.9.8. Ha!

                Comment


                • #9
                  Originally posted by curaga View Post
                  Joke's on you, I'm still on 0.9.8. Ha!
                  But not the services you were using, so...

                  Comment


                  • #10
                    Originally posted by phill1978 View Post
                    people said ubuntu delivered the patch and indeed last night my mint 16 installation received an openssl update. however when i type: openssl version -a . I get


                    OpenSSL 1.0.1e 11 Feb 2013
                    built on: Mon Apr 7 20:33:19 UTC 2014
                    platform: debian-amd64

                    ^

                    My laptop is also running mint 14 and gets

                    something similar but the version is 1.0.1c

                    Im getting the feeling that 1.0.1g is the patched version ?

                    So I tried manually adding the g version but the make file didn't work properly. Is there a PPA for this to get the latest version ?

                    Thanks
                    There is also a workaround for the affected versions. Recompile with "-DOPENSSL_NO_HEARTBEATS" as a compile time option. It's possible that the Ubuntu patched version just recompiled with that feature disabled (which is what redhat/centos have done with version 1.0.1e)

                    Comment

                    Working...
                    X