Page 2 of 5 FirstFirst 1234 ... LastLast
Results 11 to 20 of 44

Thread: opensuse 12.2 and ssh heartbleed.

  1. #11

    Default Re: opensuse 12.2 and ssh heartbleed.

    On 04/09/2014 03:06 AM, karlijos wrote:
    >
    > Hi,
    > thanks for answer. Yes, I did:
    > rpm -qa | grep ssl
    > libopenssl-devel-1.0.1e-1.46.2.x86_64
    > openssl-1.0.1e-1.46.2.x86_64
    > libopenssl1_0_0-1.0.1e-1.46.2.x86_64
    > libopenssl1_0_0-32bit-1.0.1e-1.46.2.x86_64
    >
    > zypper lr openssl::heartbleed
    > Alias : openssl::heartbleed
    >
    > Name : openssl::heartbleed
    >
    > URI : http://tinyurl.com/kml3z26
    > Enabled : Yes
    >
    > Priority : 99
    >
    > Auto-refresh : Off
    >
    > Keep Packages : Off
    >
    > Type : rpm-md
    >
    > GPG Check : On
    >
    > GPG Key URI :
    >
    > Path Prefix :
    >
    > Parent Service :
    >
    > MD Cache Path : /var/cache/zypp/raw/openssl::heartbleed
    >
    > Still no progress. Or the test command is not right ? How do you test it
    > ?


    Valid tests that actually attempt to exploit the vulnerability rather than
    simply look for the presence of TLS heartbeat functionality are available
    online; Google for them and use them as desired. In the meantime, most of
    the really simple tests (like yours looking for supported headers during
    the very first part of the TLS handshake from the server) merely tell you
    whether or not the server supports TLS Heartbeat, whether in patched or
    unpatched form. As a result, your test is invalid and likely to throw
    false positives (indicating problems when there are not).

    If your openssl build is from 2014-04-07 or later you're almost certainly
    fixed. To prove otherwise, exploit the issue and retrieve sensitive data,
    then report back.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  2. #12

    Default Re: opensuse 12.2 and ssh heartbleed.

    On 04/09/2014 06:16 AM, hcvv pecked at the keyboard and wrote:
    > @karlios.
    >
    > My idea is that you misunderstand the background of the answers you get.
    > You are given advice on how it "could be" possible for you to patch for
    > the vulnarability by using the 12.3/13.1 patches.
    > You must understand however that people here moved to 12.3 and/or 13.1
    > before 12.2 went out of support. Thus they are not able to try and or
    > test anything on 12.2. You are on your own there.
    >
    > And when your management does not understand how important it is to stay
    > up to date with the software to be able to react on security
    > vulnarabilities in due time, there is something wrong there imho.
    >
    >


    And if the server is that important it really should be using SLES
    instead when provides long term support.

    Ken

  3. #13
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    25,270

    Default Re: opensuse 12.2 and ssh heartbleed.

    Quote Originally Posted by kensch View Post

    And if the server is that important it really should be using SLES
    instead when provides long term support.

    Ken
    Oh yes. In fact I hoped that my hint would initiate some thinking on their part and I am with you hoping that that thinking should lead to the conclusion that SLES is probably a much better solution.
    Henk van Velden

  4. #14
    Join Date
    May 2012
    Location
    Finland
    Posts
    2,005

    Default Re: opensuse 12.2 and ssh heartbleed.

    Quote Originally Posted by kensch View Post
    And if the server is that important it really should be using SLES
    instead when provides long term support.
    There are some caveats here though;
    SLES is expensive. Really, really expensive over the span of 5 years for a single server even with the lowest level of support. If you use it in a virtualized environment, then you're double screwed because the price goes through the roof - it actually becomes cheaper to have a person on site maintaining the "open" versions than it does to license them from SUSE.

    Second problem is that many of the packages included in SLES are hideously out of date. If you want to upgrade the ancient tools that come with it you're left with an unsupported OS and you're back to square one.
    .: miuku #suse @ irc.freenode.net
    :: miuku@opensuse.org

    .: h​ttps://download.opensuse.org/repositories/home:/Miuku/

  5. #15
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    25,270

    Default Re: opensuse 12.2 and ssh heartbleed.

    In all cases "maintaining it" is the keyword.
    Henk van Velden

  6. #16

    Default Re: opensuse 12.2 and ssh heartbleed.

    I'm confused. The patches that people are being directed at, and the ones that seem most current in yast2, are openssl 1.0.1e. However, this is a vulnerable version of openssl - don't we need 1.0.1g?

  7. #17

    Default Re: opensuse 12.2 and ssh heartbleed.

    Quote Originally Posted by karlijos View Post
    I planned to distroupdate the server, but not right now. It is a quite important server, management must agree with server mainenance :-/
    Any reccomendations for now ? How to disable heartbeat in ssl ? Or so ?
    Why bother? You have many more security problems than heartbleed if you're still running 12.2 on your server. That's extremely irresponsible. Well good luck....

    Quote Originally Posted by CountBakula View Post
    I'm confused. The patches that people are being directed at, and the ones that seem most current in yast2, are openssl 1.0.1e. However, this is a vulnerable version of openssl - don't we need 1.0.1g?
    No. An upgrade to 1.0.1g would bring many unrelated changes, which very few Linux distributions would be willing to release as an update. Instead, they'll add a patch to the previous version just to fix the vulnerability.

    Check out https://build.opensuse.org/package/s...Update/openssl to see how it works; notice openSUSE has several patches on top of the upstream 1.0.1e release, including CVE-2014-0160.patch which fixes heartbleed.

  8. #18
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,395
    Blog Entries
    2

    Default Re: opensuse 12.2 and ssh heartbleed.

    According to what I read on the openSSL project site,

    Source which includes the patch is available, and more or less in implemented as described in the previous post in this thread.
    When compiled properly, the new version should <not> read 1.0.1x, a new minor version will result "1.0.2"

    I haven't been able to verify that anyone has built a working patched package although the previous posts suggests it might exist.
    In any case, am hoping that an official patched package is released much sooner than later. As I'm writing this, I see at http://software.opensuse.org that there are a number of private builds of a "1.0.1g" which I assume are patched versions(can't know for sure) because the current stable release is 1.0.1e and at the openssl project site they say their last official release is 1.0.1f.

    TSU

  9. #19
    Join Date
    May 2012
    Location
    Finland
    Posts
    2,005

    Default Re: opensuse 12.2 and ssh heartbleed.

    If you really, really want to you can grab the 12.3 source rpm, adjust the version number to be higher than included with 12.2 and build it against 12.2 and it will build cleanly. Then install those RPMs on 12.2.

    However that is a bad idea and anyone still running 12.2 should update to 12.3, at least. 13.1 comes with some upgrade caveats like MariaDB/MySQL and Apache 2.4.x which require minor configuration modifications.

    Edit:
    Also, the patched 12.3/13.1 will not be f or g versions but instead backported e. For example on a 13.1 system the package version is openssl-1.0.1e-11.32.1
    .: miuku #suse @ irc.freenode.net
    :: miuku@opensuse.org

    .: h​ttps://download.opensuse.org/repositories/home:/Miuku/

  10. #20
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,395
    Blog Entries
    2

    Exclamation Re: opensuse 12.2 and ssh heartbleed.

    Quote Originally Posted by Golbats_Everywhere View Post
    Why bother? You have many more security problems than heartbleed if you're still running 12.2 on your server. That's extremely irresponsible. Well good luck....


    No. An upgrade to 1.0.1g would bring many unrelated changes, which very few Linux distributions would be willing to release as an update. Instead, they'll add a patch to the previous version just to fix the vulnerability.

    Check out https://build.opensuse.org/package/s...Update/openssl to see how it works; notice openSUSE has several patches on top of the upstream 1.0.1e release, including CVE-2014-0160.patch which fixes heartbleed.
    Interesting.
    So, I just tested on my systems... although I ordinarily just run "zypper up" with the expectation that an update should provide superior protection and implement <all> recent improvements, in this case <it will not capture the heartbleed patch>.

    After running "zypper up" I have just run "zypper patch" and <only then> am I getting the patched openssl package.

    So, this is how people should update their systems to get the heartbleed patch...

    TSU

Page 2 of 5 FirstFirst 1234 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •