Page 1 of 5 123 ... LastLast
Results 1 to 10 of 44

Thread: opensuse 12.2 and ssh heartbleed.

  1. #1

    Default opensuse 12.2 and ssh heartbleed.

    Good morning,
    are there any openssl's updates for opensuse 12.2 too ? At least 1.0.1g I think
    Thanks and best regards
    J.Karliak.

  2. #2

    Default AW: opensuse 12.2 and ssh heartbleed.

    Quote Originally Posted by karlijos View Post
    are there any openssl's updates for opensuse 12.2 too ? At least 1.0.1g I think
    No. 12.2 is out of support since January already. There are no updates any more, better upgrade to a supported version (12.3 or 13.1).

    See also: http://en.opensuse.org/Lifetime

    That said, the fixed 12.3 package is available for 12.2 here: http://software.opensuse.org/downloa...ackage=openssl

  3. #3

    Default Re: opensuse 12.2 and ssh heartbleed.

    Ohh,
    not ssh but ssl - my mistake in the Title.
    Anyway - by the test "echo HEAD / | openssl s_client -connect server:443 -tlsextdebug 2>&1 | grep -i 'TLS server extension "heartbeat"'" displays enabled:
    TLS server extension "heartbeat" (id=15), len=1

    rpm -qa:
    openssl-1.0.1e-1.46.2.x86_64

    I planned to distroupdate the server, but not right now. It is a quite important server, management must agree with server mainenance :-/
    Any reccomendations for now ? How to disable heartbeat in ssl ? Or so ?

    Thanks and best regards

    J.Karliak.

  4. #4
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    25,134

    Default Re: opensuse 12.2 and ssh heartbleed.

    Hello,
    Please use CODE tags around your copied/pasted computer text, to make it readable for others.
    To get the tags, click on the # button in the tool bar of the post editor.
    Henk van Velden

  5. #5

    Default Re: opensuse 12.2 and ssh heartbleed.

    Hi,
    sorry. Here it is.
    Code:
    echo HEAD / | openssl s_client -connect server:443 -tlsextdebug 2>&1 | grep -i 'TLS server extension "heartbeat"'
    Code:
    TLS server extension "heartbeat" (id=15), len=1

  6. #6

    Default Re: opensuse 12.2 and ssh heartbleed.

    Quote Originally Posted by karlijos View Post
    Any reccomendations for now ? How to disable heartbeat in ssl ? Or so ?
    No idea.

    You asked for an openssl update for 12.2, and the packages I linked to contain the fix for that heartbeat issue as released for 12.3 and 13.1:
    Code:
    rpm -qp --changelog http://download.opensuse.org/repositories/home:/bmwiedemann:/branches:/openSUSE:/12.3:/Update/openSUSE_12.2/x86_64/libopenssl1_0_0-1.0.1e-1.46.2.x86_64.rpm | head
    warning: http://download.opensuse.org/repositories/home:/bmwiedemann:/branches:/openSUSE:/12.3:/Update/openSUSE_12.2/x86_64/libopenssl1_0_0-1.0.1e-1.46.2.x86_64.rpm: Header V3 RSA/SHA1 Signature, key ID b49c2121: NOKEY
    * Tue Apr 08 2014 shchang@suse.com
    - Fixed bug[ bnc#872299] CVE-2014-0160: openssl: missing bounds checks for heartbeat messages
      Add file: CVE-2014-0160.patch
    
    Btw, I hope you updated all the openssl packages to the versions from that repo, libopenssl1_0_0 in particular.
    The "openssh" package alone is NOT sufficient.

  7. #7

    Default Re: opensuse 12.2 and ssh heartbleed.

    Hi,
    thanks for answer. Yes, I did:
    rpm -qa | grep ssl
    libopenssl-devel-1.0.1e-1.46.2.x86_64
    openssl-1.0.1e-1.46.2.x86_64
    libopenssl1_0_0-1.0.1e-1.46.2.x86_64
    libopenssl1_0_0-32bit-1.0.1e-1.46.2.x86_64

    zypper lr openssl::heartbleed
    Alias : openssl::heartbleed
    Name : openssl::heartbleed
    URI : http://download.opensuse.org/reposit.../openSUSE_12.2
    Enabled : Yes
    Priority : 99
    Auto-refresh : Off
    Keep Packages : Off
    Type : rpm-md
    GPG Check : On
    GPG Key URI :
    Path Prefix :
    Parent Service :
    MD Cache Path : /var/cache/zypp/raw/openssl::heartbleed

    Still no progress. Or the test command is not right ? How do you test it ?
    Thanks
    J.K.

  8. #8
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    25,134

    Default Re: opensuse 12.2 and ssh heartbleed.

    Please use CODE tags around the copied/pasted computer text. It is the # button in the tool bar of the post editor.
    Henk van Velden

  9. #9

    Default Re: opensuse 12.2 and ssh heartbleed.

    Quote Originally Posted by karlijos View Post
    Still no progress. Or the test command is not right ? How do you test it ?
    As I said, I have no idea.

    Those packages are the same as have been released as security updates for 12.3 and 13.1.

    But I think you misunderstand something here: they don't disable the heartbeat extension, they fix the vulnerability (CVE-2014-0160).
    Last edited by wolfi323; 09-Apr-2014 at 02:27. Reason: corrected the CVE number

  10. #10
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    25,134

    Default Re: opensuse 12.2 and ssh heartbleed.

    @karlios.

    My idea is that you misunderstand the background of the answers you get. You are given advice on how it "could be" possible for you to patch for the vulnarability by using the 12.3/13.1 patches.
    You must understand however that people here moved to 12.3 and/or 13.1 before 12.2 went out of support. Thus they are not able to try and or test anything on 12.2. You are on your own there.

    And when your management does not understand how important it is to stay up to date with the software to be able to react on security vulnarabilities in due time, there is something wrong there imho.
    Henk van Velden

Page 1 of 5 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •