On Mon, Apr 7, 2014 at 10:01 PM, Matthew Wild <mwi...@gmail.com> wrote:

> Today a serious security vulnerability in the popular encryption
> library OpenSSL was publicly announced. This issue affects all
> software using OpenSSL, including Prosody.
> The bug allows external attackers to read the memory of any process
> using OpenSSL, by connecting to it and sending specially crafted
> packets. In Prosody's case this puts at risk lots of data, including
> (but not limited to) passwords, messages, and your certificate's key
> file used to protect SSL/TLS traffic.
> Our advice is to upgrade OpenSSL immediately, Debian, Ubuntu and many
> other distributions already have fixes available. On Debian/Ubuntu
> run:
>   sudo apt-get update
>   sudo apt-get upgrade
>   sudo service prosody restart
> Don't forget to restart any other services you have as well that use
> OpenSSL, such as your web server or mail server. Alternatively you may
> simply reboot to ensure all services are restarted.
> More generic information on the issue can be found at
> http://heartbleed.com/
> I'll try and finish off with some good news:
>   - if your client used the more advanced SCRAM-SHA-1 mechanism to
> authenticate to Prosody and you use hashed password storage, your
> password is probably safe (it would take considerable targeted effort
> to recover)
>   - if you used OTR or some other end-to-end encryption mechanism with
> your contacts, your message contents are probably safe
>   - if you used TLS ciphers with forward secrecy then generally your
> encrypted traffic could not easily be decrypted even if your
> certificate's key file was compromised (though individual connections
> active around the time of an attack could still be compromised)
>   - the flaw in OpenSSL has existed for around two years, but we
> cannot know for sure that it has actually been exploited by anyone
> Further reading:
>   Information and FAQ: http://heartbleed.com/
>   OpenSSL advisory: http://www.openssl.org/news/secadv_20140407.txt
>   Debian advisory: http://www.debian.org/security/2014/dsa-2896
>   Ubuntu advisory: http://www.ubuntu.com/usn/usn-2165-1/
The problem isn't limited to servers, it affects clients and desktop
machines as well. Be sure to update all your desktop machines, Windows and
OS X Jabber clients, other open source software that bundles OpenSSL, etc.

I recommend rebooting your machines, as there may be things running using
openssl which aren't immediately obvious.

You can check your version of openssl on Debian/Ubuntu like this:

  dpkg --get-selections | grep libssl

Only version 1.0.x are affected. 0.9.8 is not affected.

If you just wish to upgrade openssl, and not all other packages:

  sudo apt-get update
  sudo apt-get install libssl1.0.0 openssl

After upgrading, if you cannot immediately reboot for some reason, to check
which running processes are depending on the older deleted libssl files:

  sudo  lsof -n | grep ssl | grep DEL

Waqas Hussain

You received this message because you are subscribed to the Google Groups 
"prosody-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to prosody-dev+unsubscr...@googlegroups.com.
To post to this group, send email to prosody-dev@googlegroups.com.
Visit this group at http://groups.google.com/group/prosody-dev.
For more options, visit https://groups.google.com/d/optout.

Reply via email to