Forum OpenACS Development: Re: Security Bug In OpenSSL

Collapse
Posted by Cesareo Garci­a Rodicio on
I've been checking this openssl bug and test my server. And it was affected.

And I was playing a bit to solve that and seems to be easy (I'm not a security expert and I don't have very sensible data so I did not a serious audit). But this work (on ns 4.99.6 (HEAD) and Debian )
1. apt-get upgrade . After that I had "openssl version" OpenSSL 1.0.1e 11 Feb 2013 (not 1.g) . Debian guys works fast
2. restart naviserver (this is not an issue of naviserver or aolserver)

And It works (I know that to be completely sure I had to rebuild certificates but I don't think my server is of intereset of NSA or whatever😉 ).

Collapse
Posted by Neophytos Demetriou on
According to the security advisory from OpenSSL, the bug is fixed in 1.0.1g.
Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

--- https://www.openssl.org/news/secadv_20140407.txt
Collapse
Posted by Cesareo Garci­a Rodicio on
Yes, 1.0.1g is the recommended upgrade.

But in my installation (upgraded from debian, I did'nt build it) with 1.0.1e worked (or at least that's what test said).

Collapse
Posted by Gustaf Neumann on
Unfortunately, the world is more complex: for FC20 the fixed version is called openssl-1.0.1e-37.fc20.1
http://www.spinics.net/linux/fedora/fedora-users/msg447351.html
but compiling your own OpenSSL 1.0.1g is certainly safe in this regard.

Changing the library/recompiling is the easy part, "fixing" the damage is harder, since heartbleed allows to read the memory (tcp buffers, etc.). One should change all HTTP authentication credentials, which were ever transported over affected SSL channels, after the leak was fixed. .... also for external sites. Also, getting new certificates might not be a bad idea.