On Mon, Apr 7, 2014 at 10:01 PM, Matthew Wild <mwi...@gmail.com> wrote:
> Today a serious security vulnerability in the popular encryption
> library OpenSSL was publicly announced. This issue affects all
> software using OpenSSL, including Prosody.
> The bug allows external attackers to read the memory of any process
> using OpenSSL, by connecting to it and sending specially crafted
> packets. In Prosody's case this puts at risk lots of data, including
> (but not limited to) passwords, messages, and your certificate's key
> file used to protect SSL/TLS traffic.
> Our advice is to upgrade OpenSSL immediately, Debian, Ubuntu and many
> other distributions already have fixes available. On Debian/Ubuntu
> sudo apt-get update
> sudo apt-get upgrade
> sudo service prosody restart
> Don't forget to restart any other services you have as well that use
> OpenSSL, such as your web server or mail server. Alternatively you may
> simply reboot to ensure all services are restarted.
> More generic information on the issue can be found at
> I'll try and finish off with some good news:
> - if your client used the more advanced SCRAM-SHA-1 mechanism to
> authenticate to Prosody and you use hashed password storage, your
> password is probably safe (it would take considerable targeted effort
> to recover)
> - if you used OTR or some other end-to-end encryption mechanism with
> your contacts, your message contents are probably safe
> - if you used TLS ciphers with forward secrecy then generally your
> encrypted traffic could not easily be decrypted even if your
> certificate's key file was compromised (though individual connections
> active around the time of an attack could still be compromised)
> - the flaw in OpenSSL has existed for around two years, but we
> cannot know for sure that it has actually been exploited by anyone
> Further reading:
> Information and FAQ: http://heartbleed.com/
> OpenSSL advisory: http://www.openssl.org/news/secadv_20140407.txt
> Debian advisory: http://www.debian.org/security/2014/dsa-2896
> Ubuntu advisory: http://www.ubuntu.com/usn/usn-2165-1/
The problem isn't limited to servers, it affects clients and desktop
machines as well. Be sure to update all your desktop machines, Windows and
OS X Jabber clients, other open source software that bundles OpenSSL, etc.
I recommend rebooting your machines, as there may be things running using
openssl which aren't immediately obvious.
You can check your version of openssl on Debian/Ubuntu like this:
dpkg --get-selections | grep libssl
Only version 1.0.x are affected. 0.9.8 is not affected.
If you just wish to upgrade openssl, and not all other packages:
sudo apt-get update
sudo apt-get install libssl1.0.0 openssl
After upgrading, if you cannot immediately reboot for some reason, to check
which running processes are depending on the older deleted libssl files:
sudo lsof -n | grep ssl | grep DEL
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
To post to this group, send email to firstname.lastname@example.org.
Visit this group at http://groups.google.com/group/prosody-dev.
For more options, visit https://groups.google.com/d/optout.