On 11.04.2014, at 17:26, daniel <[email protected]> wrote: > > We are very concerned about the 'Heartbeat' security problem which has > been discovered with OpenSSL. Thanks to our out-of-date old-stable > version of debian, we are using: > > openssl 0.9.8o-4squeeze14 > > This page also claims debian 6 (which we use) is unaffected: > https://www.digitalocean.com/community/articles/how-to-protect-your-server-against-the-heartbleed-openssl-vulnerability > > as does the text of the DSA below. > > However, both of the heartbeat vulnerability checkers we have used have > told us that they were able to successfully exploit this vulnerability > against our site: > > http://filippo.io/Heartbleed/#noflag.org.uk > https://www.ssllabs.com/ssltest/analyze.html?d=noflag.org.uk > > What could be going on here?
you are not using the squeeze-Apache but a newer one compiled with a newer openssl. If you do a dpkg -l openssl and don’t get a higher version than 0.9.8 you are probably running one of these “all in one” website packages that provides it’s own apache and applications. Dirk -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
