Mageia forum

I just installed openssl 1.0.1e-8.mga4 and its related libraries. Is this version of SSL susceptible to the heartbleed bug?

Thanks!

Lloyd

Run updates. You should pull down 1.0.1e-8.2.mga4.

Code: Select all

$ rpm -q --changelog openssl-1.0.1e | head -4
* Mon Apr 07 2014 luigiwalser <luigiwalser> 1.0.1e-8.2.mga4
+ Revision: 612765
- add upstream patch to fix CVE-2014-0160
- add patch from upstream via opensuse to fix CVE-2014-0076

CVE-2014-0160 is the bugbear at issue. Link here (reprinted below).

Code: Select all

OpenSSL Security Advisory [07 Apr 2014]
========================================

TLS heartbeat read overrun (CVE-2014-0160)
==========================================

A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.

Since 1.0.1e is in the adversely-effected branch, I'm guessing our Mr. Walser recompiled with NO_HEARTBEATS, but someone more on top of things than me would be able to say for sure.

EDIT: As I understand it, the concerns are more server side than client side. See this thread by zxr250cc and note the link he provides.

Hope this assuages your concerns.

Cauldren is currently at openssl-1.0.1g-1.mga5.i586.rpm. So it is being tested. I am guessing that they want to make sure this rewrite is thoroughly tested before unleashing it on the world. After heartbleed, everyone wants to make sure this one is right, I am sure. In the mean time the problem is fixed with a patch.

The best test is to use link:

https://www.ssllabs.com/ssltest/

Try on any Mageia based serwer on compare to Google or Microsoft

Updates:
openssl-1.0.1e-1.5.mga3.i586.rpm dated 7 April 2014
openssl-1.0.1e-1.5.mga3.x86_64.rpm dated 7 April 2014
openssl-1.0.1e-8.2.mga4.i586.rpm dated 7 April 2014
openssl-1.0.1e-8.2.mga4.x86_64.rpm dated 7 April 2014
All included a heartbleed fix backported from openssl-1.0.1g

Just a side note to add to this heartbleed bug.

we have found that hosts running in the redhat/centos/scientific version 5 that are running 0.9.x versions of openssl
not effected by the heartbleed vunerability, but are affected by the heartbleed upgrade that many redhat/centos/scientific version 6.5 and above, which also includes fedora, mageia or any other version of linux.

this is where the server is a 101e post heartbleed and the client is less than openssl-0.9.8e-22.el5_8.4

you make a connection from the client using curl, or some other method to download something and if the version 5 Era system is running
older than openssl-0.9.8e-22.el5_8.4 the connection will fail

with an error like "asn1 encoding routines unknown message digest algorithm".

the actual error may vary according to the the method employed, and this one was with curl.

this was covered in a redhat bug release as follows

https://bugzilla.redhat.com/show_bug.cgi?id=676384

regards peter

Thanks for the heads up. Also saw some issues but only with clients which upgraded to "101e post heartbleed" on latest RHEL with dynamic proxy tunneling. Weird thing is that ssh itself is not affected, but as the RHEL upgrades simply disabled the HEARTBEAT feature instead of upgrading to a fixed version the ssl upgrade may still be an issue.