This site is now 100% read-only, and retired.

OpenSSL Heartbeat, a.k.a. Heartbleed Bug

Posted by ajt on Tue 8 Apr 2014 at 22:24

Tags: , , , ,

A serious security flaw has come to light in the OpenSSL package used in many Linux distributions including Debian. It is considered very serious and all administrators should patch their systems at once and restart any services that rely on OpenSSL.

Users should probably regenerate any SSL certificates if their server was "at risk".

More details can be found here:

At the moment Debian versions known to be at risk of exploit are:

  • stable
  • testing

Debian versions know to be not at risk:

  • oldstable
  • unstable

 

 

 

#
Re: OpenSSL Heartbeat, a.k.a. Heartblead Bug
Posted by Anonymous (124.171.xx.xx) on Wed 9 Apr 2014 at 00:30
Fixed packages for wheezy (1.0.1e-2+deb7u5) are available from security.debian.org as normal.

It's also recommended that you get new certificates as no-one is quite sure just how much information has leaked here. Yell at your local cabal certificate provider to give you a replacement cert with the same expiry at no cost.

[ Parent ]

#
Re: OpenSSL Heartbeat, a.k.a. Heartblead Bug
Posted by Anonymous (212.110.xx.xx) on Wed 9 Apr 2014 at 11:04
Had a fun yesterday morning updating all our (centos) servers at work. Very impressed with how fast updates were released for all the affected versions of Linux!

sno

[ Parent ]

#
Re: OpenSSL Heartbeat, a.k.a. Heartblead Bug
Posted by simonw (212.110.xx.xx) on Sat 12 Apr 2014 at 04:37
[ View Weblogs ]

Some of the distros and people terminating large amounts of HTTPS traffic were tipped off earlier to allow them to prepare patches, but from a procedural perspective the process of patching appears good for all major distros, then again we've had a lot of practice.

[ Parent ]

#
Re: OpenSSL Heartbeat, a.k.a. Heartblead Bug
Posted by Anonymous (212.232.xx.xx) on Tue 15 Apr 2014 at 00:58
Not a single server of mine is affected. Many of them running SSL 0.9.8, another reason why not to rush with software upgrade :P

I think they make this bug bigger than it actually is.
I spent like 2 hours to go through webservers on my bookmarks (many sites are from 2nd 3rd world countries with poor security) still I couldn't find a single one which is vulnerable.

BTW It's good to see that this site is still kept alive.

[ Parent ]

#
Re: OpenSSL Heartbeat, a.k.a. Heartblead Bug
Posted by Anonymous (84.45.xx.xx) on Tue 15 Apr 2014 at 18:31
1.0.1g fixed a vulnerability which is still present in 0.9.8. 0.9.8 also has weaker protocol support.

The vulnerability referred to in 0.9.8 is much harder to exploit and disabled in some (most?) distro builds, but I don't think this is a good example of where slow maintenance helped. It could so easily have been any earlier release.

[ Parent ]