Hi Etienne,
To add more fuel to the fire...
PacketFence itself does not require a specific version of openssl.
So the question really is, which version is installed on your server.
Some people will be affected and some will not.
You need to check which version you have and then upgrade it (as a minimal
remediation step) if you have a version between 1.0.1 a to f (e.g.
1.0.1a all the way to 1.0.1f).
See this for some details: https://www.openssl.org/news/secadv_20140407.txt
On RedHat based systems, you can check it by running
# rpm -q openssl
On debian you can do this:
# dpkg --list openssl
Note that on CentOS (at least), the patched version is currently
1.0.1e-16.el6_5.7 (even though the advisory says not to trust versions a
through f).
You can check the changelog for your packages this way (on redhat):
rpm -q openssl --changelog | head
* Mon Apr 07 2014 Tomáš Mráz <[email protected]> 1.0.1e-16.7
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
* Tue Jan 07 2014 Tomáš Mráz <[email protected]> 1.0.1e-16.4
- fix CVE-2013-4353 - Invalid TLS handshake crash
* Mon Jan 06 2014 Tomáš Mráz <[email protected]> 1.0.1e-16.3
- fix CVE-2013-6450 - possible MiTM attack on DTLS1
[etc..]
and on debian/ubuntu:
# less /usr/share/doc/openssl/changelog.Debian.gz
openssl (1.0.1e-2+deb7u6) wheezy-security; urgency=high
* Non-maintainer upload by the Security Team.
* Enable checking for services that may need to be restarted
* Update list of services to possibly restart
-- Salvatore Bonaccorso <[email protected]> Tue, 08 Apr 2014 10:44:53 +0200
openssl (1.0.1e-2+deb7u5) wheezy-security; urgency=high
* Non-maintainer upload by the Security Team.
* Add CVE-2014-0160.patch patch.
CVE-2014-0160: Fix TLS/DTLS hearbeat information disclosure.
A missing bounds check in the handling of the TLS heartbeat extension
can be used to reveal up to 64k of memory to a connected client or
server.
-- Salvatore Bonaccorso <[email protected]> Mon, 07 Apr 2014 22:26:55 +0200
[etc…]
You then need to restart any service that depend on openssl.
When in doubt you may want to reboot.
You could also check to see which processes depend on it, by running this:
# lsof | grep ssl
There remains for you to decide whether you feel it requires you to revoke and
renew your certificates and keys.
Everyone will have to decide that for themselves. It depends on how exposed you
think you are.
Best regards,
--
Louis Munro
[email protected] :: www.inverse.ca
+1.514.447.4918 *125 :: +1 (866) 353-6153
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
On 2014-04-10, at 12:45 , Etienne Vella <[email protected]> wrote:
> Hi,
>
> We did a scan on the packet fence server today regarding the latest ssl
> vulnerability and according to the scanners it seems that packet fence
> version that we are currently running is vulnerable.
>
> Is that a release which is not vulnerable so that we could upgrade.
>
> Thanks,
> Etienne
>
> ------------------------------------------------------------------------------
> Put Bad Developers to Shame
> Dominate Development with Jenkins Continuous Integration
> Continuously Automate Build, Test & Deployment
> Start a new project now. Try Jenkins in the cloud.
> http://p.sf.net/sfu/13600_Cloudbees_______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
