Author Topic: Heartbleed Bug (Read 8764 times)

WORM. · « **on:** April 08, 2014, 09:26:57 AM »

http://heartbleed.com

Basically.....if you use TLS on OpenSSL (https webservers; services running TLS enabled daemons like SMTP/POP/IMAP) you most likely have to think about doing some necessary patching and key re-generating.

Blame NSA

VaeVictis · « **Reply #1 on:** April 08, 2014, 07:03:56 PM »

Only a problem for certain versions of OpenSSL

You can see NVD entry here: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160

Only affects 1.0.1 through 1.0.1f

upstream patches for enterprise grade linux repositories should be out shortly (if not already), and rolled down stream accordingly (redhat -> centos -> etc etc)

patch is already out if you want to compile from source

It is quite nasty though, and if I were running any SSL setups myself I would go through and generate a new key/cert combo immediately

companies like thawte and comodo are probably getting hammered right now with requests

and if you don't have the time to currently patch, should close all SSL ports (443, 995, 993, 465, etc)

yahoo · « **Reply #2 on:** April 08, 2014, 11:58:55 PM »

Quote from: VaeVictis on April 08, 2014, 07:03:56 PM

Only a problem for certain versions of OpenSSL

You can see NVD entry here: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160

Only affects 1.0.1 through 1.0.1f

upstream patches for enterprise grade linux repositories should be out shortly (if not already), and rolled down stream accordingly (redhat -> centos -> etc etc)

patch is already out if you want to compile from source

It is quite nasty though, and if I were running any SSL setups myself I would go through and generate a new key/cert combo immediately companies like thawte and comodo are probably getting hammered right now with requests

and if you don't have the time to currently patch, should close all SSL ports (443, 995, 993, 465, etc)

And now the media is hyping it.

http://time.com/55037/heartbleed-internet-security-encryption-risk/

VaeVictis · « **Reply #3 on:** April 09, 2014, 01:00:56 AM »

Quote from: yahoo on April 08, 2014, 11:58:55 PM

Quote from: VaeVictis on April 08, 2014, 07:03:56 PM
Only a problem for certain versions of OpenSSL

You can see NVD entry here: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160

Only affects 1.0.1 through 1.0.1f

upstream patches for enterprise grade linux repositories should be out shortly (if not already), and rolled down stream accordingly (redhat -> centos -> etc etc)

patch is already out if you want to compile from source

It is quite nasty though, and if I were running any SSL setups myself I would go through and generate a new key/cert combo immediately companies like thawte and comodo are probably getting hammered right now with requests

and if you don't have the time to currently patch, should close all SSL ports (443, 995, 993, 465, etc)

And now the media is hyping it.

http://time.com/55037/heartbleed-internet-security-encryption-risk/

oh don't get me wrong, this is HORRIBLE

but, just because a vulnerability exists doesn't mean it was exploited by everyone all the time... I see vulnerable versions of PHP, Apache, and site software up on web servers all the time that for sizable websites that haven't been cracked into yet, so that old wise tail of "I put this server on the internet, and it was compromised within seconds!" is pretty much a lie

personally if I was a less responsible person I would have taken work off and set up a harvester to try and dump memory to as many https sites as I possibly could, because most of them likely won't change their private key even if they do generate a new certificate

the phrase "internet security" has and always will be a contradicting joke

yahoo · « **Reply #4 on:** April 09, 2014, 02:57:09 AM »

found this link.

filippo.io/Heartbleed
rehmann.co/projects/heartbeat/

btw, so does this mean IIS has no problem since if im not mistaken its not using open ssl?

WORM. · « **Reply #5 on:** April 09, 2014, 09:41:11 AM »

Quote from: yahoo on April 09, 2014, 02:57:09 AM

btw, so does this mean IIS has no problem since if im not mistaken its not using open ssl?

Correct.....IIS is not open source and does not use OpenSSL......IIS has enough vulnerabilities as it is.

VaeVictis · « **Reply #6 on:** April 09, 2014, 11:08:22 PM »

IMHO, if you run iis, you have bigger problems

quadz · « **Reply #7 on:** April 10, 2014, 12:39:27 AM »

Quote from: VaeVictis on April 09, 2014, 01:00:56 AM

that old wise tail

Ah, the joys and pitfalls of Hooked on Phonics.

BTW, for all here with SSH access to tastyspleen.net, I should mention that (by simple luck) we weren't running one of the vulnerable versions of OpenSSL.

(yay!)

VaeVictis · « **Reply #8 on:** April 10, 2014, 01:17:26 AM »

Quote from: quadz on April 10, 2014, 12:39:27 AM

Quote from: VaeVictis on April 09, 2014, 01:00:56 AM
that old wise tail

Ah, the joys and pitfalls of Hooked on Phonics.

BTW, for all here with SSH access to tastyspleen.net, I should mention that (by simple luck) we weren't running one of the vulnerable versions of OpenSSL.

(yay!)

english can go fuck itself

not enough semicolons and curly braces for my tastes

quadz · « **Reply #9 on:** April 10, 2014, 01:55:47 AM »

Quote from: VaeVictis on April 10, 2014, 01:17:26 AM

english can go fuck itself

not enough semicolons and curly braces for my tastes

Well now, it may be a mute point to observe that your mangling of the idiomatic expression Old Wives' Tale would still be wrong in any language, but who knows: one in the same it's a doggy-dog world and this could be a blessing in the skies, so for all intensive purposes let's nip it in the butt.

|iR|Focalor · « **Reply #10 on:** April 10, 2014, 08:55:28 AM »

Quote from: quadz on April 10, 2014, 01:55:47 AM

Well now, it may be a mute point to observe that your mangling of the idiomatic expression Old Wives' Tale would still be wrong in any language, but who knows: one in the same it's a doggy-dog world and this could be a blessing in the skies, so for all intensive purposes let's nip it in the butt.

Davey was hit in the head with an English textbook so hard that he required an MRI for intensive purposes.

bluemeanies · « **Reply #11 on:** April 10, 2014, 09:48:24 AM »

What a time sink...paying for reliable hosting means that the systems are getting patched, but they recommend you reissue certs, change all passwords, you're talking admin panels, cms systems, custom back end tools, etc, etc...

QwazyWabbit · « **Reply #12 on:** April 10, 2014, 01:34:43 PM »

Quote from: quadz on April 10, 2014, 12:39:27 AM

Quote from: VaeVictis on April 09, 2014, 01:00:56 AM
that old wise tail

Ah, the joys and pitfalls of Hooked on Phonics.

BTW, for all here with SSH access to tastyspleen.net, I should mention that (by simple luck) we weren't running one of the vulnerable versions of OpenSSL.

(yay!)

Sometimes it pays to lag the power curve just a little. Let the early adopters thrash around with the shiny new toy a bit.

A rolling stone lathers no moths.

VaeVictis · « **Reply #13 on:** April 10, 2014, 07:16:35 PM »

Quote from: quadz on April 10, 2014, 01:55:47 AM

it may be a mute point

moot point*

Quote from: QwazyWabbit on April 10, 2014, 01:34:43 PM

Sometimes it pays to lag the power curve just a little. Let the early adopters thrash around with the shiny new toy a bit.

A rolling stone lathers no moths.

except the vulnerability has been in place for 2 years haha was quite convenient that half the servers at my work were running 0.9.8 though

quadz · « **Reply #14 on:** April 11, 2014, 03:29:52 AM »

Quote from: VaeVictis on April 10, 2014, 07:16:35 PM

Quote from: quadz on April 10, 2014, 01:55:47 AM
it may be a mute point

moot point*

Don't tell me you only spotted one out of six?

Author Topic: Heartbleed Bug (Read 8764 times)

El Box de Shoutamente