Forum OpenACS Development: Re: Security Bug In OpenSSL

Collapse
5: Re: Security Bug In OpenSSL (response to 4)
Posted by Neophytos Demetriou on 04/09/14 04:58 PM
According to the security advisory from OpenSSL, the bug is fixed in 1.0.1g.
Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

--- https://www.openssl.org/news/secadv_20140407.txt
Collapse
7: Re: Security Bug In OpenSSL (response to 5)
Posted by Cesareo Garci­a Rodicio on 04/09/14 05:18 PM
Yes, 1.0.1g is the recommended upgrade.

But in my installation (upgraded from debian, I did'nt build it) with 1.0.1e worked (or at least that's what test said).

Collapse
6: Re: Security Bug In OpenSSL (response to 5)
Posted by Gustaf Neumann on 04/09/14 05:21 PM
Unfortunately, the world is more complex: for FC20 the fixed version is called openssl-1.0.1e-37.fc20.1
http://www.spinics.net/linux/fedora/fedora-users/msg447351.html
but compiling your own OpenSSL 1.0.1g is certainly safe in this regard.

Changing the library/recompiling is the easy part, "fixing" the damage is harder, since heartbleed allows to read the memory (tcp buffers, etc.). One should change all HTTP authentication credentials, which were ever transported over affected SSL channels, after the leak was fixed. .... also for external sites. Also, getting new certificates might not be a bad idea.