• heardbleed bug and openssl

    From Steve Wolf@1:0/0 to All on Mon Apr 14 14:48:01 2014
    Can anyone tell me if the following is suceptable to the heart bleed bug.

    openssl-0.9.7a-43.18.el4

    I dont know much about these things but they say its with version OpenSSL version 1.0.1.

    Can anyone tell me if this version of software is succepable to it.

    Thanks.

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: The Kofo System II BBS telnet://fido2.kofobbs.
  • From Keith Keller@110:300/11 to All on Mon Apr 14 14:55:49 2014
    On 2014-04-14, Steve Wolf <stevwolf58@gmail.com> wrote:

    openssl-0.9.7a-43.18.el4

    I dont know much about these things but they say its with version OpenSSL
    version 1.0.1.

    Can anyone tell me if this version of software is succepable to it.

    The main heartbleed bug site can.

    heartbleed.com

    Look for "What versions of the OpenSSL are affected?"

    --keith

    --
    kkeller-usenet@wombat.san-francisco.ca.us
    (try just my userid to email me) AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
    see X- headers for PGP signature information


    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: A noiseless patient Spider (110:300/11@linuxnet)
  • From Jim Beard@110:300/11 to All on Mon Apr 14 15:05:39 2014
    On Mon, 14 Apr 2014 07:48:01 -0700, Steve Wolf wrote:

    Can anyone tell me if the following is suceptable to the heart bleed bug.

    openssl-0.9.7a-43.18.el4

    I dont know much about these things but they say its with version OpenSSL
    version 1.0.1.

    Can anyone tell me if this version of software is succepable to it.

    IIRC, the g version is not susceptible (and versions before introduction of the
    vulnerability likewse), but the above is the e version and vulnerable.

    Cheers!

    jim b.



    --
    UNIX is not user-unfriendly; it merely
    expects users to be computer-friendly.

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: A noiseless patient Spider (110:300/11@linuxnet)
  • From Steve Wolf@1:0/0 to All on Mon Apr 14 15:48:55 2014
    Thanks for the answers,

    According to the article that was pointed out by Keith K, Im NOT susceptible. ---------------------------------------------------------
    What versions of the OpenSSL are affected?

    Status of different versions:

    OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
    OpenSSL 1.0.1g is NOT vulnerable
    OpenSSL 1.0.0 branch is NOT vulnerable
    OpenSSL 0.9.8 branch is NOT vulnerable
    Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug. ----------------------------------------------------------------

    If I read my version correctly I have 0.7
    This is not 1.0.1 through 1.0.1f
    Thus mine is not affected ?? Yet Jim says it is.

    Am I reading something incorrectly. I dont know much about all this version info.
    thanks.




    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: The Kofo System II BBS telnet://fido2.kofobbs.
  • From Aragorn@110:300/11 to All on Mon Apr 14 15:58:24 2014
    On Monday 14 April 2014 17:05, Jim Beard conveyed the following to comp.os.linux.security...

    On Mon, 14 Apr 2014 07:48:01 -0700, Steve Wolf wrote:

    Can anyone tell me if the following is suceptable to the heart bleed
    bug.

    openssl-0.9.7a-43.18.el4

    I dont know much about these things but they say its with version
    OpenSSL version 1.0.1.

    Can anyone tell me if this version of software is succepable to it.

    IIRC, the g version is not susceptible (and versions before
    introduction of the vulnerability likewse), but the above is the e
    version and vulnerable.

    Not quite. Look at the version number, Jim.

    He's got 0.9.7. The vulnerability was only introduced in 1.0.1. 1.0.0
    and 0.x.x versions are unaffected.

    --
    = Aragorn =

    http://www.linuxcounter.net - registrant #223157

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: A noiseless patient Strider (110:300/11@linuxnet)
  • From William Unruh@110:300/11 to All on Mon Apr 14 17:10:31 2014
    On 2014-04-14, Steve Wolf <stevwolf58@gmail.com> wrote:
    Can anyone tell me if the following is suceptable to the heart bleed bug.

    openssl-0.9.7a-43.18.el4

    I dont know much about these things but they say its with version OpenSSL
    version 1.0.1.

    From what I have read, no it is not. Heartbeat was only introduced in
    1.0.1



    Can anyone tell me if this version of software is succepable to it.

    Thanks.

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: A noiseless patient Spider (110:300/11@linuxnet)
  • From Keith Keller@110:300/11 to All on Mon Apr 14 17:29:49 2014
    On 2014-04-14, Steve Wolf <stevwolf58@gmail.com> wrote:
    If I read my version correctly I have 0.7

    If you posted correctly you have some version of 0.9.7.

    This is not 1.0.1 through 1.0.1f
    Thus mine is not affected ?? Yet Jim says it is.

    Jim is incorrect.

    If you are running a network service, you can test it using this URL
    (which has a good reputation, though may still be collating vulnerable
    services for later attack):

    https://filippo.io/Heartbleed/

    Or you can download source code and test your services yourself:

    https://github.com/FiloSottile/Heartbleed

    I don't currently know a way of testing libraries client-side.

    --keith

    --
    kkeller-usenet@wombat.san-francisco.ca.us
    (try just my userid to email me) AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
    see X- headers for PGP signature information


    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: A noiseless patient Spider (110:300/11@linuxnet)
  • From colinmarr0@gmail.com@1:0/0 to All on Mon Apr 14 17:48:31 2014
    Thanks.
    It looks like Im safe from that.
    Its a funny thing isnt it, If you have the old version it's safe if you have the new version its not safe.

    I will take a look at the link you have provided,
    Thanks.

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: The Kofo System II BBS telnet://fido2.kofobbs.
  • From David W. Hodgins@110:300/11 to All on Mon Apr 14 18:08:18 2014
    On Mon, 14 Apr 2014 13:48:31 -0400, <colinmarr0@gmail.com> wrote:

    Its a funny thing isnt it, If you have the old version it's safe if you
    have the new version its not safe.

    Actually, it doesn't.
    $ rpm -q --changelog openssl|grep CVE
    - add upstream patch to fix CVE-2014-0160
    - add patch from upstream via opensuse to fix CVE-2014-0076
    - add upstream patch to fix CVE-2013-6450
    - use upstream patch to fix CVE 2013-4353
    - add patch from fedora to fix CVE-2013-6449
    - 1.0.0j (fixes CVE-2012-2333)
    - new version (fix CVE 2012-2110)

    That's within the last 3 years which only goes back to 1.0.0.

    I have no idea if any of those security problems also affected
    the prior versions, but I would not assume the 2014-0160 is the
    only one that doesn't.

    Regards, Dave Hodgins

    --
    Change nomail.afraid.org to ody.ca to reply by email.
    (nomail.afraid.org has been set up specifically for
    use in usenet. Feel free to use it yourself.)

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: A noiseless patient Spider (110:300/11@linuxnet)
  • From William Unruh@110:300/11 to All on Mon Apr 14 18:46:15 2014
    On 2014-04-14, Keith Keller <kkeller-usenet@wombat.san-francisco.ca.us> wrote:
    On 2014-04-14, Steve Wolf <stevwolf58@gmail.com> wrote:
    If I read my version correctly I have 0.7

    If you posted correctly you have some version of 0.9.7.

    This is not 1.0.1 through 1.0.1f
    Thus mine is not affected ?? Yet Jim says it is.

    Jim is incorrect.

    If you are running a network service, you can test it using this URL
    (which has a good reputation, though may still be collating vulnerable services for later attack):

    https://filippo.io/Heartbleed/

    Or you can download source code and test your services yourself:

    https://github.com/FiloSottile/Heartbleed

    I don't currently know a way of testing libraries client-side.

    But if your browser does not listen on 443, this will not work even if
    your ssl library is bad. And if you have no browser, but have say imap
    running it also will not tell you that ssl is bad.


    --keith


    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: A noiseless patient Spider (110:300/11@linuxnet)
  • From William Unruh@110:300/11 to All on Mon Apr 14 18:47:13 2014
    On 2014-04-14, colinmarr0@gmail.com <colinmarr0@gmail.com> wrote:
    Thanks.
    It looks like Im safe from that.
    Its a funny thing isnt it, If you have the old version it's safe if you
    have the new version its not safe.

    New additions (heartbeat) can mean new bugs.


    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: A noiseless patient Spider (110:300/11@linuxnet)
  • From Keith Keller@110:300/11 to All on Mon Apr 14 19:28:57 2014
    On 2014-04-14, William Unruh <unruh@invalid.ca> wrote:

    https://filippo.io/Heartbleed/

    Or you can download source code and test your services yourself:

    https://github.com/FiloSottile/Heartbleed

    I don't currently know a way of testing libraries client-side.

    But if your browser does not listen on 443, this will not work even if
    your ssl library is bad.

    Of course, which is exactly why I specifically wrote "I don't currently
    know a way of testing libraries client-side".

    And if you have no browser, but have say imap
    running it also will not tell you that ssl is bad.

    Actually, it can test any listener. If you point the filippo tester to
    Gmail's imaps server it passes.

    --keith

    --
    kkeller-usenet@wombat.san-francisco.ca.us
    (try just my userid to email me) AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
    see X- headers for PGP signature information


    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: A noiseless patient Spider (110:300/11@linuxnet)
  • From William Unruh@110:300/11 to All on Mon Apr 14 21:18:36 2014
    On 2014-04-14, Keith Keller <kkeller-usenet@wombat.san-francisco.ca.us> wrote:
    On 2014-04-14, William Unruh <unruh@invalid.ca> wrote:

    https://filippo.io/Heartbleed/

    Or you can download source code and test your services yourself:

    https://github.com/FiloSottile/Heartbleed

    I don't currently know a way of testing libraries client-side.

    But if your browser does not listen on 443, this will not work even if
    your ssl library is bad.

    Of course, which is exactly why I specifically wrote "I don't currently
    know a way of testing libraries client-side".

    Those are NOT client side, those are server side. Imap server, pop
    server, http server are all servers. Now if your server does not listen
    on 443 then you might say that it is safe anyway, except you could have
    opened some other port for https
    Also your server could server other ssl reliant stuff and the test will
    not find them.


    And if you have no browser, but have say imap
    running it also will not tell you that ssl is bad.

    Actually, it can test any listener. If you point the filippo tester to Gmail's imaps server it passes.

    Yes, if you happen to know the ports. Ie, it will test gmail's imap
    server on port 443. But that is not what imap listens to. You can tell
    it to test the approriate port, but most people have no idea what that
    is.
    So if you point that site to gmail's imap server, but use the default
    port 443, that may tell you that the site is OK but that will be pretty useless. (actually it will probably more helpfully tell you that the
    server does not respond on port 443. But then even valid servers often
    do not respond to port 443 when they are busy.)





    --keith


    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: A noiseless patient Spider (110:300/11@linuxnet)
  • From Keith Keller@110:300/11 to All on Mon Apr 14 21:48:49 2014
    On 2014-04-14, William Unruh <unruh@invalid.ca> wrote:

    Yes, if you happen to know the ports. Ie, it will test gmail's imap
    server on port 443. But that is not what imap listens to. You can tell
    it to test the approriate port, but most people have no idea what that
    is.

    If the OP is running his own local services (which is the context in
    which the testers came up) then presumably he knows what ports they are
    running on. (And if not he probably shouldn't be running them in the
    first place.)

    So if you point that site to gmail's imap server, but use the default
    port 443, that may tell you that the site is OK but that will be pretty useless. (actually it will probably more helpfully tell you that the
    server does not respond on port 443. But then even valid servers often
    do not respond to port 443 when they are busy.)

    The tester returns one of three results: pass, fail, or unknown. A
    server that doesn't respond in time returns unknown, not pass or
    fail. It doesn't return OK unless it's actually OK. In theory, of
    course; there could be a bug in the heartbleed bug checker. ;-)

    --keith

    --
    kkeller-usenet@wombat.san-francisco.ca.us
    (try just my userid to email me) AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
    see X- headers for PGP signature information


    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: A noiseless patient Spider (110:300/11@linuxnet)
  • From Jim Beard@110:300/11 to All on Tue Apr 15 01:44:07 2014
    On Mon, 14 Apr 2014 08:48:55 -0700, Steve Wolf wrote:

    Thanks for the answers,

    According to the article that was pointed out by Keith K, Im NOT
    susceptible.
    ---------------------------------------------------------
    What versions of the OpenSSL are affected?

    Status of different versions:

    OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
    OpenSSL 1.0.1g is NOT vulnerable
    OpenSSL 1.0.0 branch is NOT vulnerable
    OpenSSL 0.9.8 branch is NOT vulnerable
    Bug was introduced to OpenSSL in December 2011 and has been out in the wild
    since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
    ----------------------------------------------------------------

    If I read my version correctly I have 0.7
    This is not 1.0.1 through 1.0.1f
    Thus mine is not affected ?? Yet Jim says it is.

    Am I reading something incorrectly. I dont know much about all this version
    info.
    thanks.

    My post assumed you had the current (1.0.1 version). As stated, versions before
    introduction of the vulnerability (2011) are not vulnerable.

    My failure to check your version to make sure it was current version,
    and failure to explicitly state my assumption, clearly makes this my bad.

    I stand corrected.

    Apologies

    jim b.

    --
    UNIX is not user-unfriendly; it merely
    expects users to be computer-friendly.

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: A noiseless patient Spider (110:300/11@linuxnet)
  • From Trevor Hemsley@1:0/0 to All on Tue Apr 15 10:38:15 2014
    On Mon, 14 Apr 2014 14:48:01 UTC in comp.os.linux.security, Steve Wolf <stevwolf58@gmail.com> wrote:

    Can anyone tell me if the following is suceptable to the heart bleed bug.

    openssl-0.9.7a-43.18.el4

    No, you are not vulnerable to heartbeat.

    But, unless you have an extended update support agreement in place with Redhat,
    you are running a version of Enterprise Linux 4.x which has been out of support
    for more than 2 years and has received NO security updates to any of its packages for at least that time. Depending on how long ago before that it was that you last ran up2date (on RHEL) or yum update (on CentOS) you could be *years* behind on security patches. The end of support for CentOS 4 was the end
    of February 2012.

    You should urgently look at either getting a RH EUS to keep that box in maintenance or migrate to a supported version of the operating system ASAP - Heartbleed is not the only security vulnerability around, it's just the most prominent at the current time.

    --
    Trevor Hemsley, Brighton, UK
    Trevor dot Hemsley at ntlworld dot com

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: The Kofo System II BBS telnet://fido2.kofobbs.
  • From Joe Beanfish@110:300/11 to All on Tue Apr 15 13:36:18 2014
    On Mon, 14 Apr 2014 10:48:31 -0700, colinmarr0 wrote:
    Can anyone tell me if the following is suceptable to the heart bleed
    bug.

    openssl-0.9.7a-43.18.el4

    Thanks.
    It looks like Im safe from that.
    Its a funny thing isnt it, If you have the old version it's safe if you
    have the new version its not safe.

    I will take a look at the link you have provided,
    Thanks.

    You're not susceptible to heartbleed, but you're most likely susceptible
    to a plethora of other bugs fixed between 0.9.7a and 1.0.1. Some fixes
    have been backported to redhat's flavor of 0.9.7 but not all.

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: A noiseless patient Spider (110:300/11@linuxnet)