Translate
IBU
Consol
|
|
Created 8 April 2014 By Julian H.
Stacey
Non technical:
-
The SSL bug opens many potential internet security
loopholes for users (irrespective of Microsoft, BSD,
Linux etc). Many SSL based services may be affected eg
SMTP, POP, IMAP, SASL, XMPP(chat) VPN (corporate nets)
etc.
Allow system admins a few days to assess & upgrade
servers. Just browse for a few days, Avoid net banking
& web + card purchases; avoid services where you
login, security keys, inc. clouds & chat. Mail with
POP IMAP, VPN all affected. Maybe webmail too.
Do not rush to login &
check accounts & change passwords; wait for
administrators to secure sites. (Although in theory
passwords etc could have been harvested since March 2012,
a low chance of that, & a much higher chance in last
days of criminals trying to exploit the just published
weakness with current net traffic, so keep off for a few
days).
- http://www.bbc.com/news/technology-26935905
- http://www.snopes.com/computer/virus/heartbleed.asp
It's Not a virus! despite this non technical article
labeling it as such in URL & graphic button on the
page.
-
http://askbobrankin.com/a_gaping_hole_in_internet_security.html?awt_l=7tTPw&awt_m=IiC1hGQx5uP6SL
Omits "Do not rush to
login" etc.
- Please Don't Mail Me Questions: Read the web &
learn, then if you need, ask who you employ for support, eg
your company's or net provider's system
administrators.
Technical
http://heartbleed.com/
Alert re SSL TLS X.509
out in the wild since OpenSSL release 1.0.1 on 14th of March 2012.
OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug
vulnerable:
FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
not vulnerable:
FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013
FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)
-DOPENSSL_NO_HEARTBEATS
whois heartbleed.com
Creation Date: 2014-04-05 15:13
Registrant Name: Marko Laakso
Registrant Organization: Codenomicon Oy
Registrant Country: Finland
http://www.openssl.org/news/secadv_20140407.txt
OpenSSL Security Advisory [07 Apr 2014]
TLS heartbeat read overrun (CVE-2014-0160)
A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.
Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.
Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@@@chromium.org> and Bodo Moeller <bmoeller@@@acm.org> for
preparing the fix.
Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
1.0.2 will be fixed in 1.0.2-beta2.
German: http://heise.de/-2165995
http://www.heise.de/security/meldung/SSL-Gau-So-testen-Sie-Programme-und-Online-Dienste-2165995.html
http://heise.de/-2165995GERMAN = DEUTSCH
Am Vormittag waren zum Beispiel Adobe.com, Web.de, VeriSign.com,
Comodo.com sowie die Site des Online-Passwortmanagers
LastPass noch verwundbar.
Am Dienstagnachmittag war selbst die Site des OpenSSL-Projekts noch verwundbar.
OpenSSH ist dem ersten Anschein nach nicht betroffen
http://filippo.io/Heartbleed/
example.com[:443]
/etc/services
https 443/sctp
http://filippo.io/Heartbleed/#yourhost.com:443
http://www.berklix.org servers run FreeBSD:
http://lists.freebsd.org/pipermail/freebsd-security/2014-April/subject.html
http://lists.freebsd.org/pipermail/freebsd-security/2014-April/007404.html
http://lists.freebsd.org/pipermail/freebsd-questions/2014-April/257326.html
http://lists.freebsd.org/pipermail/freebsd-security-notifications/2014-April/000200.html
refers to CVE-2014-0076 & CVE-2014-0160 & openssl.patch
FreeBSD-9.1:
cd /var/db/pkg; echo openssl*
cd /var/db/ports/openssl
grep OPENSSL_NO_HEARTBEATS /var/db/ports/openssl/options
mv /var/db/ports/openssl /var/db/ports/openssl.was
cd /usr/ports/security/openssl
make clean
make
No mention of heartbeat during configure.
Need to import current ports/ sources. ....
pkg_info -R openssl-1.0.1_4
apache22-2.2.23 cyrus-sasl-2.1.25_2 lynx-2.8.7.2,1
FreeBSD-9.1 + /pub/FreeBSD/branches/-current/ports/security/openssl/Makefile
350548 2014-04-07 21:46:40Z
DISTVERSIONSUFFIX= g
PORTREVISION= 10
sftp & cp -R ....
cd /usr/ports/security/openssl.2014-04-07 ; make install
broke, needed new Mk/ too ... sftp ....
cd /var/db/pkg; echo openssl*
openssl-1.0.1_10 openssl-1.0.1_4
pkg_delete -f openssl-1.0.1_4
....
cd /pub/FreeBSD/branches/-current/ports/ports-mgmt/dialog4ports
tar zcf ~/tmp/j .
sftp ..
mkdir /usr/ports/ports-mgmt/dialog4ports
cd /usr/ports/ports-mgmt/dialog4ports
tar zxf ~/tmp/j
make clean ; make install
cd /usr/ports/security/openssl.2014-04-07
make clean
rm -rf /var/db/ports/openssl*
make
make install
cd /etc/mail
make stop
make start
mailq
FreeBSD-9.2:
man ssh: The HISTORY section of ssl(8) contains a brief discussion
of the DSA and RSA algorithms.
man sshd: no mention of ssl
man ssl: The OpenSSL ssl library implements the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols.
cd /var/db/pkg; echo openssl*
pkg_info -R openssl-1.0.1_8
cups-base-1.5.4_1 cups-1.5.4 hplip-3.13.6
openldap-client-2.4.35 libreoffice-4.0.4_1 git-1.8.3.4
dillo-3.0.3 wget-1.14_2 wireshark-1.10.1
echo firefox*
pkg_info -r firefox-23.0,1 | grep -i ssl # Nothing :-)
PS extracts:
{
From: Pete Stephenson <pete@@@heypete.com>
Date: Thu, 10 Apr 2014 00:45:55 +0200
To: ... gnupg-users@@@gnupg.org
Firefox is immune because it uses the NSS Crypto library.
}
----------
{
From: Sam Gleske <sam.mxracer@gmail.com>
Date: Wed, 9 Apr 2014 19:10:10 -0400 (Thu 01:10 CEST)
To: ... Gnupg-users <gnupg-users@gnupg.org>
While it's true Firefox does not link openssl in binaries the vulnerability
allows an attacker to easily hijack sessions, steal usernames and
passwords, and steal the server private key during the SSL negotiation
phase. See my comments above for how you can verify that.
}
----------
FreeBSD-10.0:
cd /var/db/pkg; echo openssl* # openssl-1.0.1_8
cd /var/db/ports/openssl # /var/db/ports/openssl: No such file or directory.
Mentioned on gnnupg mail list:
http://pastebin.com/WmxzjkXJ
contains
http://s3.jspenguin.org/ssltest.py
|
|
