CVE-2014-0160?
sbremal at hotmail.com
sbremal at hotmail.com
Fri Apr 11 11:36:40 UTC 2014
Hello
Could anyone comment this? Worry, not to worry, upgrade, upgrade to what version?
There are few contradicting information coming out in regards to the check of my server related to the 'heartbleed' bug:
1. http://heartbleed.com/
...
Status of different versions:
---> OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
...
How about operating systems?
Some operating system distributions that have shipped with potentially vulnerable OpenSSL version:
Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
CentOS 6.5, OpenSSL 1.0.1e-15
Fedora 18, OpenSSL 1.0.1e-4
OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
---> FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
NetBSD 5.0.2 (OpenSSL 1.0.1e)
OpenSUSE 12.2 (OpenSSL 1.0.1c)
Operating system distribution with versions that are not vulnerable:
Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
SUSE Linux Enterprise Server
FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013
FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013
---> FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)
...
2. lynx -dump -head http://localhost/
HTTP/1.1 200 OK
Date: Fri, 11 Apr 2014 08:10:11 GMT
Server: Apache/2.2.26 (FreeBSD) PHP/5.4.24 SVN/1.7.14 mod_ssl/2.2.26
---> OpenSSL/1.0.1e-freebsd
DAV/2 mod_python/3.3.1 Python/2.7.6 mod_perl/2.0.8 Perl/v5.16.3
Last-Modified: Wed, 12 Feb 2014 13:29:34 GMT
ETag: "278b56-2c-4f235903dcb80"
Accept-Ranges: bytes
Content-Length: 44
Connection: close
Content-Type: text/html
3. http://possible.lv/tools/hb/?domain=xxx
ext 65281 (renegotiation info, length=1)
ext 00011 (EC point formats, length=4)
ext 00035 (session ticket, length=0)
ext 00015 (heartbeat, length=1) <-- Your server supports heartbeat. Bug is possible when linking against OpenSSL 1.0.1f or older. Let me check.
Actively checking if CVE-2014-0160 works: Server is vulnerable to all attacks tested, please upgrade software ASAP.
4. pkg audit
0 problem(s) in the installed packages found.
Cheers
B.
More information about the freebsd-security
mailing list