More on Heartbleed:
Adding insult to injury, it seems you also need to upgrade the 'libssl1.0.0'
package on ubuntu.
Make sure the changelog mentions the fix to heartbeat and you should be ok.
--
Louis Munro
[email protected] :: www.inverse.ca
+1.514.447.4918 *125 :: +1 (866) 353-6153
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
On 2014-04-10, at 13:12 , Louis Munro <[email protected]> wrote:
> Hi Etienne,
>
> To add more fuel to the fire...
>
> PacketFence itself does not require a specific version of openssl.
> So the question really is, which version is installed on your server.
>
> Some people will be affected and some will not.
>
> You need to check which version you have and then upgrade it (as a minimal
> remediation step) if you have a version between 1.0.1 a to f (e.g.
> 1.0.1a all the way to 1.0.1f).
> See this for some details: https://www.openssl.org/news/secadv_20140407.txt
>
>
> On RedHat based systems, you can check it by running
>
> # rpm -q openssl
>
> On debian you can do this:
>
> # dpkg --list openssl
>
> Note that on CentOS (at least), the patched version is currently
> 1.0.1e-16.el6_5.7 (even though the advisory says not to trust versions a
> through f).
>
> You can check the changelog for your packages this way (on redhat):
>
> rpm -q openssl --changelog | head
> * Mon Apr 07 2014 Tomáš Mráz <[email protected]> 1.0.1e-16.7
> - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
>
> * Tue Jan 07 2014 Tomáš Mráz <[email protected]> 1.0.1e-16.4
> - fix CVE-2013-4353 - Invalid TLS handshake crash
>
> * Mon Jan 06 2014 Tomáš Mráz <[email protected]> 1.0.1e-16.3
> - fix CVE-2013-6450 - possible MiTM attack on DTLS1
>
> [etc..]
>
>
> and on debian/ubuntu:
>
> # less /usr/share/doc/openssl/changelog.Debian.gz
>
> openssl (1.0.1e-2+deb7u6) wheezy-security; urgency=high
>
> * Non-maintainer upload by the Security Team.
> * Enable checking for services that may need to be restarted
> * Update list of services to possibly restart
>
> -- Salvatore Bonaccorso <[email protected]> Tue, 08 Apr 2014 10:44:53 +0200
>
> openssl (1.0.1e-2+deb7u5) wheezy-security; urgency=high
>
> * Non-maintainer upload by the Security Team.
> * Add CVE-2014-0160.patch patch.
> CVE-2014-0160: Fix TLS/DTLS hearbeat information disclosure.
> A missing bounds check in the handling of the TLS heartbeat extension
> can be used to reveal up to 64k of memory to a connected client or
> server.
>
> -- Salvatore Bonaccorso <[email protected]> Mon, 07 Apr 2014 22:26:55 +0200
>
> [etc…]
>
>
>
> You then need to restart any service that depend on openssl.
> When in doubt you may want to reboot.
>
> You could also check to see which processes depend on it, by running this:
>
> # lsof | grep ssl
>
>
> There remains for you to decide whether you feel it requires you to revoke
> and renew your certificates and keys.
>
> Everyone will have to decide that for themselves. It depends on how exposed
> you think you are.
>
> Best regards,
> --
> Louis Munro
> [email protected] :: www.inverse.ca
> +1.514.447.4918 *125 :: +1 (866) 353-6153
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
> (www.packetfence.org)
>
> On 2014-04-10, at 12:45 , Etienne Vella <[email protected]> wrote:
>
>> Hi,
>>
>> We did a scan on the packet fence server today regarding the latest ssl
>> vulnerability and according to the scanners it seems that packet fence
>> version that we are currently running is vulnerable.
>>
>> Is that a release which is not vulnerable so that we could upgrade.
>>
>> Thanks,
>> Etienne
>>
>> ------------------------------------------------------------------------------
>> Put Bad Developers to Shame
>> Dominate Development with Jenkins Continuous Integration
>> Continuously Automate Build, Test & Deployment
>> Start a new project now. Try Jenkins in the cloud.
>> http://p.sf.net/sfu/13600_Cloudbees_______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> ------------------------------------------------------------------------------
> Put Bad Developers to Shame
> Dominate Development with Jenkins Continuous Integration
> Continuously Automate Build, Test & Deployment
> Start a new project now. Try Jenkins in the cloud.
> http://p.sf.net/sfu/13600_Cloudbees_______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
