CVE-2014-0160?
sbremal at hotmail.com
sbremal at hotmail.com
Fri Apr 11 12:54:37 UTC 2014
ext 65281 (renegotiation info, length=1)
ext 00011 (EC point formats, length=4)
ext 00035 (session ticket, length=0)
ext 00015 (heartbeat, length=1) <-- Your server supports heartbeat. Bug is possible when linking against OpenSSL 1.0.1f or older. Let me check.
Actively checking if CVE-2014-0160 works: Your server appears to be patched against this bug.
Kösz! ;-)
Is there any reason why nightly security patches are not enabled by default in FreeBSD?
Cheers
B.
----------------------------------------
> Date: Fri, 11 Apr 2014 13:46:10 +0200
> From: mohacsi at niif.hu
> To: sbremal at hotmail.com
> CC: freebsd-security at freebsd.org
> Subject: Re: CVE-2014-0160?
>
>
>
> On Fri, 11 Apr 2014, sbremal at hotmail.com wrote:
>
>> Hello
>>
>> Could anyone comment this? Worry, not to worry, upgrade, upgrade to what version?
>>
>> There are few contradicting information coming out in regards to the check of my server related to the 'heartbleed' bug:
>>
>> 1. http://heartbleed.com/
>>
>> ...
>> Status of different versions:
>>
>> ---> OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
>> OpenSSL 1.0.1g is NOT vulnerable
>> OpenSSL 1.0.0 branch is NOT vulnerable
>> OpenSSL 0.9.8 branch is NOT vulnerable
>> ...
>> How about operating systems?
>>
>> Some operating system distributions that have shipped with potentially vulnerable OpenSSL version:
>>
>> Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
>> Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
>> CentOS 6.5, OpenSSL 1.0.1e-15
>> Fedora 18, OpenSSL 1.0.1e-4
>> OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
>> ---> FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
>> NetBSD 5.0.2 (OpenSSL 1.0.1e)
>> OpenSUSE 12.2 (OpenSSL 1.0.1c)
>
> Consult:
>
> http://www.freebsd.org/security/advisories.html
> and
> http://www.freebsd.org/security/advisories/FreeBSD-SA-14:06.openssl.asc
>
>
>>
>> Operating system distribution with versions that are not vulnerable:
>>
>> Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
>> SUSE Linux Enterprise Server
>> FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013
>> FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013
>> ---> FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)
>
> Freebsd ports updated:
> http://svnweb.freebsd.org/ports/head/security/openssl/
>
>> ...
>>
>> 2. lynx -dump -head http://localhost/
>>
>> HTTP/1.1 200 OK
>> Date: Fri, 11 Apr 2014 08:10:11 GMT
>> Server: Apache/2.2.26 (FreeBSD) PHP/5.4.24 SVN/1.7.14 mod_ssl/2.2.26
>> ---> OpenSSL/1.0.1e-freebsd
>> DAV/2 mod_python/3.3.1 Python/2.7.6 mod_perl/2.0.8 Perl/v5.16.3
>> Last-Modified: Wed, 12 Feb 2014 13:29:34 GMT
>> ETag: "278b56-2c-4f235903dcb80"
>> Accept-Ranges: bytes
>> Content-Length: 44
>> Connection: close
>> Content-Type: text/html
>>
>> 3. http://possible.lv/tools/hb/?domain=xxx
>>
>> ext 65281 (renegotiation info, length=1)
>> ext 00011 (EC point formats, length=4)
>> ext 00035 (session ticket, length=0)
>> ext 00015 (heartbeat, length=1) <-- Your server supports heartbeat. Bug is possible when linking against OpenSSL 1.0.1f or older. Let me check.
>> Actively checking if CVE-2014-0160 works: Server is vulnerable to all attacks tested, please upgrade software ASAP.
>>
>> 4. pkg audit
>>
>> 0 problem(s) in the installed packages found.
>
> Probably you use openssl form base system not from packages.
>
>
>>
>>
>> Cheers
>> B.
>>
>> _______________________________________________
>> freebsd-security at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-security
>> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
>>
More information about the freebsd-security
mailing list