>On Tue, 15 Apr 2014 19:06:14 +0200 >loki <l...@pancevo.rs> wrote:
> 1.) Is it enough for me to recompile only OpenSSL or do I have to > recompile OpenSSH, apache, OpenVPN? I have not yet looked at the patch that fixes CVE-2014-0160, but I imagine that you do not need to recompile anything that dynamically linkes to OpenSSL. Anything that links statically should be recompiled. How to tell? Well, you compiled it, you ought to know what went into it. :) In principle, you can run ldd on the executable in question and see if /whatever/libssl.so.* comes up in the list. If so, OpenSSL is linked in dynamically. > 2.) Do I have to recreate the selfsigned certs for WWW even if I don't > use any passwords for the private key? (After I update OpenSSL) Not if (1) it has not been compromised and (2) you don't care about it being compromised. In practice, you almost certainly care about it being compromised and, due to the fact the private key was in the same address space that is exposed by CVE-2014-0160, your private key was almost certainly leaked to anyone who bothered to look. > 3.) Do I have to recreate the keys used for the users of OpenVPN? > (After I update OpenSSL) If they were not loaded into the servers address space (and they probably weren't), no. Note that all the above answers apply anytime an attacker has read access to the servers address space. There is nothing special about the so-called "heartbleed bug" that makes it different than so many other information leak bugs. -- Svi moji e-mailovi su kriptografski potpisani. Proverite ih. All of my e-mails are cryptographically signed. Verify them. -- You don't need an AI for a robot uprising. Humans will do just fine.
signature.asc
Description: PGP signature
-- http://linuxfromscratch.org/mailman/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/lfs/faq.html Unsubscribe: See the above information page
