Joe Parsons <[email protected]> writes:
> I was slow to patch my multiple vms after that heartbleed disclosure.
> I just managed to upgrade these systems to 9.2, and installed the
> patched openssl, then started changing passwords for root and other
> shell users. [...]
If you were running 9.2 or older and had not installed OpenSSL from
ports, you were never vulnerable.
In any case, heartbleed does *not* facilitate remote code execution or
code injection, only information retrieval, so unless your passwords
were stored in cleartext (or a weakly hashed form) in the memory of an
Internet-facing SSL-enabled service (such as https, smtp with STARTTLS
or imaps, but not ssh), you cannot have been "hacked" as a consequence
of heartbleed.
Your passwd etc issues are consistent with out-of-sync {,s}pwd.mkdb
which can result from a botched mergemaster.
DES
--
Dag-Erling Smørgrav - [email protected]
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[email protected]"
