CVE-2014-0160?

sbremal at hotmail.com sbremal at hotmail.com
Fri Apr 11 11:36:40 UTC 2014 

Hello

Could anyone comment this? Worry, not to worry, upgrade, upgrade to what version?

There are few contradicting information coming out in regards to the check of my server related to the 'heartbleed' bug:

1. http://heartbleed.com/

...
Status of different versions:

--->    OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
    OpenSSL 1.0.1g is NOT vulnerable
    OpenSSL 1.0.0 branch is NOT vulnerable
    OpenSSL 0.9.8 branch is NOT vulnerable
...
How about operating systems?

Some operating system distributions that have shipped with potentially vulnerable OpenSSL version:

    Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
    Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
    CentOS 6.5, OpenSSL 1.0.1e-15
    Fedora 18, OpenSSL 1.0.1e-4
    OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
--->    FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
    NetBSD 5.0.2 (OpenSSL 1.0.1e)
    OpenSUSE 12.2 (OpenSSL 1.0.1c)

Operating system distribution with versions that are not vulnerable:

    Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
    SUSE Linux Enterprise Server
    FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013
    FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013
--->    FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)
...

2. lynx -dump -head http://localhost/

HTTP/1.1 200 OK
Date: Fri, 11 Apr 2014 08:10:11 GMT
Server: Apache/2.2.26 (FreeBSD) PHP/5.4.24 SVN/1.7.14 mod_ssl/2.2.26
---> OpenSSL/1.0.1e-freebsd
DAV/2 mod_python/3.3.1 Python/2.7.6 mod_perl/2.0.8 Perl/v5.16.3
Last-Modified: Wed, 12 Feb 2014 13:29:34 GMT
ETag: "278b56-2c-4f235903dcb80"
Accept-Ranges: bytes
Content-Length: 44
Connection: close
Content-Type: text/html

3. http://possible.lv/tools/hb/?domain=xxx

ext 65281 (renegotiation info, length=1)
ext 00011 (EC point formats, length=4)
ext 00035 (session ticket, length=0)
ext 00015 (heartbeat, length=1) <-- Your server supports heartbeat. Bug is possible when linking against OpenSSL 1.0.1f or older. Let me check.
Actively checking if CVE-2014-0160 works: Server is vulnerable to all attacks tested, please upgrade software ASAP.

4. pkg audit

0 problem(s) in the installed packages found.


Cheers
B.

More information about the freebsd-security mailing list