heartbleed

This forum is dedicated to basic help and support :

Ask here your questions about basic installation and usage of Mageia. For example you may post here all your questions about getting Mageia isos and installing it, configuring your printer, using your word processor etc.

Try to ask your questions in the right sub-forum with as much details as you can gather. the more precise the question will be, the more likely you are to get a useful answer

heartbleed

Postby lloyd » Apr 11th, '14, 03:11

I just installed openssl 1.0.1e-8.mga4 and its related libraries. Is this version of SSL susceptible to the heartbleed bug?

Thanks!

Lloyd
lloyd
 
Posts: 149
Joined: Feb 4th, '14, 20:27

Re: heartbleed

Postby artificeprime » Apr 11th, '14, 03:47

Run updates. You should pull down 1.0.1e-8.2.mga4.

Code: Select all
$ rpm -q --changelog openssl-1.0.1e | head -4
* Mon Apr 07 2014 luigiwalser <luigiwalser> 1.0.1e-8.2.mga4
+ Revision: 612765
- add upstream patch to fix CVE-2014-0160
- add patch from upstream via opensuse to fix CVE-2014-0076

CVE-2014-0160 is the bugbear at issue. Link here (reprinted below).

Code: Select all
OpenSSL Security Advisory [07 Apr 2014]
========================================

TLS heartbeat read overrun (CVE-2014-0160)
==========================================

A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.

Since 1.0.1e is in the adversely-effected branch, I'm guessing our Mr. Walser recompiled with NO_HEARTBEATS, but someone more on top of things than me would be able to say for sure.

EDIT: As I understand it, the concerns are more server side than client side. See this thread by zxr250cc and note the link he provides.

Hope this assuages your concerns. :)
CPU: P4 3.2GHz (Northwood); Mobo: Intel D865PERL; RAM: 3GiB DDR400; VPU: ATI Radeon HD4650 (1GiB); Display: Samsung SyncMaster 206BW LCD; Sound: integrated ICH5 AC'97; OS: Mageia 5 (i586)
User avatar
artificeprime
 
Posts: 56
Joined: May 21st, '11, 21:00
Location: Erickson, BC, Canada

Re: heartbleed

Postby ghmitch » Apr 12th, '14, 02:45

Cauldren is currently at openssl-1.0.1g-1.mga5.i586.rpm. So it is being tested. I am guessing that they want to make sure this rewrite is thoroughly tested before unleashing it on the world. After heartbleed, everyone wants to make sure this one is right, I am sure. In the mean time the problem is fixed with a patch.
ghmitch
 
Posts: 325
Joined: Mar 30th, '11, 03:05
Location: Eureka California USA

Re: heartbleed

Postby mackowiakp » Apr 13th, '14, 12:53

The best test is to use link:

https://www.ssllabs.com/ssltest/

Try on any Mageia based serwer on compare to Google or Microsoft
Linux is like wigwam. No Windows, no Gates but Apache inside

WARNING ! The administrator has the right to refuse to install WINDOWS, invoking the conscience clause
mackowiakp
 
Posts: 660
Joined: May 23rd, '13, 07:32
Location: Gdynia, Poland

Re: heartbleed

Postby wilcal » Apr 17th, '14, 21:59

Updates:
openssl-1.0.1e-1.5.mga3.i586.rpm dated 7 April 2014
openssl-1.0.1e-1.5.mga3.x86_64.rpm dated 7 April 2014
openssl-1.0.1e-8.2.mga4.i586.rpm dated 7 April 2014
openssl-1.0.1e-8.2.mga4.x86_64.rpm dated 7 April 2014
All included a heartbleed fix backported from openssl-1.0.1g
"DISK BOOT FAILURE - INSERT SYSTEM DISK AND PRESS ENTER"
is my friend
wilcal
 
Posts: 567
Joined: Jun 20th, '11, 02:01
Location: San Diego CA

Re: heartbleed

Postby wintpe » Apr 22nd, '14, 10:46

Just a side note to add to this heartbleed bug.

we have found that hosts running in the redhat/centos/scientific version 5 that are running 0.9.x versions of openssl
not effected by the heartbleed vunerability, but are affected by the heartbleed upgrade that many redhat/centos/scientific version 6.5 and above, which also includes fedora, mageia or any other version of linux.

this is where the server is a 101e post heartbleed and the client is less than openssl-0.9.8e-22.el5_8.4

you make a connection from the client using curl, or some other method to download something and if the version 5 Era system is running
older than openssl-0.9.8e-22.el5_8.4 the connection will fail

with an error like "asn1 encoding routines unknown message digest algorithm".

the actual error may vary according to the the method employed, and this one was with curl.

this was covered in a redhat bug release as follows

https://bugzilla.redhat.com/show_bug.cgi?id=676384

regards peter
Redhat 6 Certified Engineer (RHCE)
Sometimes my posts will sound short, or snappy, however its realy not my intention to offend, so accept my apologies in advance.
wintpe
 
Posts: 1204
Joined: May 22nd, '11, 17:08
Location: Rayleigh,, Essex , UK

Re: heartbleed

Postby doktor5000 » Apr 22nd, '14, 20:45

Thanks for the heads up. Also saw some issues but only with clients which upgraded to "101e post heartbleed" on latest RHEL with dynamic proxy tunneling. Weird thing is that ssh itself is not affected, but as the RHEL upgrades simply disabled the HEARTBEAT feature instead of upgrading to a fixed version the ssl upgrade may still be an issue.
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 18070
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany


Return to Basic support

Who is online

Users browsing this forum: No registered users and 1 guest