Re: [gentoo-user] Heartbleed - using openssl-0.9.8y and affected
On 04/28/14 09:17, Joseph wrote: Which program do I upgrade to fix Heartbleed bug? http://safeweb.norton.com/heartbleed/ is showing me my server is vulnerable. I'm using dev-libs/openssl-0.9.8y Why safeweb.norton is triggering my server vulnerable? I'm using apache-2.2.25 Which file contain setting for: SSLCompression I'm trying to turn it off. -- Joseph
Re: [gentoo-user] Heartbleed - using openssl-0.9.8y and affected
On Mon, 28 Apr 2014 10:02:52 -0600 Joseph syscon...@gmail.com wrote: On 04/28/14 09:17, Joseph wrote: Which program do I upgrade to fix Heartbleed bug? http://safeweb.norton.com/heartbleed/ is showing me my server is vulnerable. I'm using dev-libs/openssl-0.9.8y Why safeweb.norton is triggering my server vulnerable? I'm using apache-2.2.25 Which file contain setting for: SSLCompression I'm trying to turn it off. Unaffected according to: http://www.gentoo.org/security/en/glsa/glsa-201404-07.xml Perhaps all you need to do is restart the Apache service? -- With kind regards, Tom Wijsman (TomWij) Gentoo Developer E-mail address : tom...@gentoo.org GPG Public Key : 6D34E57D GPG Fingerprint : C165 AF18 AB4C 400B C3D2 ABF0 95B2 1FCD 6D34 E57D signature.asc Description: PGP signature
Re: [gentoo-user] Heartbleed - using openssl-0.9.8y and affected
On 04/28/14 20:13, Tom Wijsman wrote: On Mon, 28 Apr 2014 10:02:52 -0600 Joseph syscon...@gmail.com wrote: On 04/28/14 09:17, Joseph wrote: Which program do I upgrade to fix Heartbleed bug? http://safeweb.norton.com/heartbleed/ is showing me my server is vulnerable. I'm using dev-libs/openssl-0.9.8y Why safeweb.norton is triggering my server vulnerable? I'm using apache-2.2.25 Which file contain setting for: SSLCompression I'm trying to turn it off. Unaffected according to: http://www.gentoo.org/security/en/glsa/glsa-201404-07.xml Perhaps all you need to do is restart the Apache service? -- With kind regards, Tom Wijsman (TomWij) Gentoo Developer E-mail address : tom...@gentoo.org GPG Public Key : 6D34E57D GPG Fingerprint : C165 AF18 AB4C 400B C3D2 ABF0 95B2 1FCD 6D34 E57D No, I was wrong. I had both version istalled: 0.9.8y and 1.0.1f and the one that was in use was buggy one: 1.0.1f I recompile 1.0.1f without tls-heartbeat and the problem is solved. dev-libs/openssl Available versions: (0.9.8) 0.9.8y (0)1.0.0j 1.0.1f {bindist gmp kerberos rfc3779 sse2 static-libs test +tls-heartbeat vanilla zlib} Installed versions: 0.9.8y(0.9.8)(11:06:09 PM 10/18/2013)(sse2 zlib -bindist -gmp -kerberos -test) 1.0.1f(12:57:54 PM 03/21/2014)(sse2 tls-heartbeat zlib -bindist -gmp -kerberos -rfc3779 -static-libs -test -vanilla) But what puzzle me is when I downgraded it to 1.0.0j (uneffected version) I could not restart apache. I was getting an error: /etc/init.d/apache2 restart * apache2 has detected an error in your setup: apache2: Syntax error on line 125 of /etc/apache2/httpd.conf: Cannot load /usr/lib64/apache2/modules/mod_ssl.so into server: /usr/lib64/apache2/modules/mod_ssl.so: undefined symbol: TLSv1_1_client_method * ERROR: apache2 failed to stop -- Joseph
Re: [gentoo-user] Heartbleed - using openssl-0.9.8y and affected
On Mon, Apr 28, 2014 at 2:34 PM, Joseph syscon...@gmail.com wrote: But what puzzle me is when I downgraded it to 1.0.0j (uneffected version) I could not restart apache. I was getting an error: /etc/init.d/apache2 restart * apache2 has detected an error in your setup: apache2: Syntax error on line 125 of /etc/apache2/httpd.conf: Cannot load /usr/lib64/apache2/modules/mod_ssl.so into server: /usr/lib64/apache2/modules/mod_ssl.so: undefined symbol: TLSv1_1_client_method * ERROR: apache2 failed to stop When you *downgrade* a shared library, you generally need to rebuild all programs which are linked against that library. The newer library version may provide additional symbols which would be missing from the older version of the library. That's what that undefined symbol error is about.
Re: [gentoo-user] Heartbleed - using openssl-0.9.8y and affected
On Mon, Apr 28, 2014 at 2:34 PM, Joseph syscon...@gmail.com wrote: No, I was wrong. I had both version istalled: 0.9.8y and 1.0.1f and the one that was in use was buggy one: 1.0.1f I recompile 1.0.1f without tls-heartbeat and the problem is solved. Why not run emerge --sync and upgrade to 1.0.1g?
Re: [gentoo-user] Heartbleed - using openssl-0.9.8y and affected
On 04/28/14 14:54, Mike Gilbert wrote: On Mon, Apr 28, 2014 at 2:34 PM, Joseph syscon...@gmail.com wrote: No, I was wrong. I had both version istalled: 0.9.8y and 1.0.1f and the one that was in use was buggy one: 1.0.1f I recompile 1.0.1f without tls-heartbeat and the problem is solved. Why not run emerge --sync and upgrade to 1.0.1g? This is my running server so I try to upgrade backup first before upgrading main server. I recompiled 1.0.1f without tls-heartbeat and it solved the problem. -- Joseph
Re: [gentoo-user] Heartbleed - using openssl-0.9.8y and affected
On Mon, 28 April 2014, at 8:09 pm, Joseph syscon...@gmail.com wrote: On 04/28/14 14:54, Mike Gilbert wrote: On Mon, Apr 28, 2014 at 2:34 PM, Joseph syscon...@gmail.com wrote: No, I was wrong. I had both version istalled: 0.9.8y and 1.0.1f and the one that was in use was buggy one: 1.0.1f I recompile 1.0.1f without tls-heartbeat and the problem is solved. Why not run emerge --sync and upgrade to 1.0.1g? This is my running server so I try to upgrade backup first before upgrading main server. I recompiled 1.0.1f without tls-heartbeat and it solved the problem. If you don't want to emerge --sync (and by implication update everything), you can download the ebuild for just this package and put it in /usr/local/portage http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/dev-libs/openssl/openssl-1.0.1g.ebuild Stroller.
Re: [gentoo-user] Heartbleed - using openssl-0.9.8y and affected
On 04/28/2014 12:02 PM, Joseph wrote: I'm using apache-2.2.25 Which file contain setting for: SSLCompression I'm trying to turn it off. It's on by default in apache-2.2. Place the following somewhere in 40_mod_ssl.conf, between IfModule ssl_module and /IfModule: # Disable CRIME attack (off by default in apache-2.4) SSLCompression off