pluggers, another action needed from you... if those sites listed in the link below that you use their service, then you need to change your password...
http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/?utm_cid=mash-com-fb-main-link its time to realize why opensource is not secured as what others claims to be... but of course... there are still plenty of undiscovered security holes waiting to be discovered by security engineers... when this heartbeat outbreak last Monday... I spoke to my colleague yesterday as this is one of the projects of malaking brother who paid opensource developer working with a specific application to insert backdoor codes... ( I have to use other words para hindi makita ni malaking brother scanner)... to my surprise.. he mentioned to me that he worked at noviembre sierra alfa previously and he can confirmed on that but he wont go into the details... I also said to him that I saw one backdoor in Linux kernel until now it is still in there... you cant see by a normal cli command but it is there sitting innocently... I made a statement in ph-cyberview a year or so ago that we are not safe anymore... much worse if you are inside china.... fooler. On Wed, Apr 9, 2014 at 3:36 PM, fooler mail <[email protected]> wrote: > hi drexx, > > google security guy is the one who found the bug and google fixed > their sites before sending the info to the community... > > below is the site to test the bug vulnerability.. > > http://packetstormsecurity.com/files/author/11160/ > > fooler. > > On Wed, Apr 9, 2014 at 9:06 AM, Drexx Laggui [personal] > <[email protected]> wrote: >> 09Apr2014 (UTC +8) >> >> Here's a quick test on your localhost, & you don't even need to be root... >> >> >> drexx@MACHINE:~$ echo -e "quit\n" | openssl s_client -connect >> google.com:443 -tlsextdebug 2>&1 | grep 'TLS server extension >> "heartbeat" (id=15), len=1' >> >> TLS server extension "heartbeat" (id=15), len=1 >> >> drexx@MACHINE:~$ date; >> Wed Apr 9 21:02:58 PHT 2014 >> >> drexx@MACHINE:~$ uname -a >> Linux MACHINE 3.11.0-19-generic #33~precise1-Ubuntu SMP Wed Mar 12 >> 21:16:27 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux >> >> >> Drexx Laggui -- CISA, CISSP, CFE Associate, ISO27001 LA, CCSI, CSA >> http://www.laggui.com ( Manila & California ) >> Computer forensics; Penetration testing; QMS & ISMS developers; K-Transfer >> PGP fingerprint = 0117 15C5 F3B1 6564 59EA 6013 1308 9A66 41A2 3F9B >> >> >> On Wed, Apr 9, 2014 at 10:42 AM, Rudel Saldivar <[email protected]> >> wrote: >>> >>> And I may add this link for the exact patch version since different package >>> revision exist for different versions of Ubuntu - >>> http://www.ubuntu.com/usn/usn-2165-1/ >>> >>> Ubuntu 13.10: >>> libssl1.0.0 1.0.1e-3ubuntu1.2 >>> Ubuntu 12.10: >>> libssl1.0.0 1.0.1c-3ubuntu2.7 >>> Ubuntu 12.04 LTS: >>> libssl1.0.0 1.0.1-4ubuntu5.12 >>> >>> As for CentOS 6, they haven't release a patch version but the latest >>> available in the update repo have the heartbeat feature disable, interim >>> workaround so upgrade when you can: >>> http://www.spinics.net/lists/centos-announce/msg04910.html >>> http://www.spinics.net/lists/centos-announce/msg04910.html >>> >>> >>> ----- >>> >>> -[ OpenSource, Open Ideas ]- >>> >>> >>> On Wed, Apr 9, 2014 at 8:42 AM, fooler mail <[email protected]> wrote: >>>> >>>> pluggers, >>>> >>>> action needed from you if you are not aware with this serious security >>>> hole... >>>> >>>> http://www.openssl.org/news/secadv_20140407.txt >>>> >>>> update/patch your openssl package... create a new private key using >>>> updated/patched openssl... create a new CSR based on that new private >>>> key and update your https site(s) with a new signed certificate (this >>>> includes self-signed certificate as well) >> _________________________________________________ >> Philippine Linux Users' Group (PLUG) Mailing List >> http://lists.linux.org.ph/mailman/listinfo/plug >> Searchable Archives: http://archives.free.net.ph _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List http://lists.linux.org.ph/mailman/listinfo/plug Searchable Archives: http://archives.free.net.ph
