In case this helps, here's what our campus security folks sent out this morning.
==============================================================================
Mitigation:
"Affected users should upgrade to OpenSSL 1.0.1g. Users unable to
immediately upgrade can alternatively recompile OpenSSL with
- -DOPENSSL_NO_HEARTBEATS."
Quick remote test for potential vulnerability (from linux):
echo ""|openssl s_client -connect $MYHOST:443 -tlsextdebug 2>&1 \
| egrep 'heartbeat'
An example response of a potentially vulnerable host would be:
TLS server extension "heartbeat" (id=15), len=1
Quick local check for vulnerability:
openssl version -a
Any version other than 1.0.1 through 1.0.1f should be safe. In any
1.0.1 version if the -DOPENSSL_NO_HEARTBEATS flag listed in the
compiler flags that should mean you're safe.
Spot check:
openssl version -a| grep -oE '1.0.1[a-g]{1}?|DOPENSSL_NO_HEARTBEATS'
This should give you the version, if it's 1.0.1, and if the
OPENSSL_NO_HEARTBEATS was listed.
Adding to the spot checks above, once you patch with the official
patches from Ubuntu/Debian/RHEL these simple openssl checks will still
show the heartbeat extension enabled but it shouldn't be vulnerable
anymore. If you have access to Qualys for scanning, the QID for
scanning for this vulnerability is 42430.
The http://heartbleed.com/ site recommends re-issuing certificates
in case of prior compromise of existing private keys as there is no
way to differentiate from normal traffic.
We are recommending to our users to do this as well as any credentials
used over the SSL connection, especially in the last few days. The
vulnerability is easily exploitable and a few tests have returned
valid session cookies at the very least. Supposedly the server's
private key can be exposed as well. Passively there's no way to
determine if this is being exploited. I haven't had time to test with
debugging enabled.
=======================================================================
Jamie Duncan wrote on 4/8/2014 12:44 PM:
The bug was only applicable to RHEL/CentOS/OEL/SL 6.5+
https://access.redhat.com/site/solutions/781793
On Tue, Apr 8, 2014 at 1:36 PM, Jeffrey Anderson <[email protected]
<mailto:[email protected]>> wrote:
Is SL5 vulnerable, and will there be a patch?
On Tue, Apr 8, 2014 at 7:10 AM, Pat Riehecky <[email protected]
<mailto:[email protected]>> wrote:
The updated package should be available now.
Pat
On 04/08/2014 05:43 AM, Adam Bishop wrote:
Good Morning,
I’ve not seen a fixed OpenSSL package drop into the repo’s as of
yet.
Apologies for asking the question, but how quickly will this be
packaged and made available (i.e. should I start building the
package myself)?
Regards,
Adam Bishop
Systems Development Specialist
gpg: 0x6609D460
t: +44 (0)1235 822 245 <tel:%2B44%20%280%291235%20822%20245>
xmpp: [email protected] <mailto:[email protected]>
Janet, the UK's research and education network.
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
not-for-profit company which is registered in England under No.
2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
--
Pat Riehecky
Scientific Linux developer
http://www.scientificlinux.__org/ <http://www.scientificlinux.org/>
--
--------------------------------------------------------------
Jeffrey Anderson | [email protected]
<mailto:[email protected]>
Lawrence Berkeley National Laboratory |
Office: 50A-5104E | Mailstop 50A-5101
Phone: 510 486-4208 <tel:510%20486-4208> | Fax: 510
486-4204 <tel:510%20486-4204>
--
Thanks,
Jamie Duncan
@jamieeduncan
--
P. Larry Nelson (217-244-9855) | Systems/Network Administrator
461 Loomis Lab | High Energy Physics Group
1110 W. Green St., Urbana, IL | Physics Dept., Univ. of Ill.
MailTo:[email protected] | http://www.roadkill.com/lnelson/
-------------------------------------------------------------------
"Information without accountability is just noise." - P.L. Nelson
