I'm really surprised no one has mentioned this here yet...
we're all to damned busy updating and generating keys
you might like (thanks smb, or was it sra)
openssl s_client -connect google\.com:443 -tlsextdebug 21| grep 'server
extension heartbeat (id=15)' || echo safe
randy, who is almost
On Tue, Apr 8, 2014 at 4:35 AM, Randy Bush ra...@psg.com wrote:
I'm really surprised no one has mentioned this here yet...
we're all to damned busy updating and generating keys
you might like (thanks smb, or was it sra)
openssl s_client -connect google\.com:443 -tlsextdebug 21| grep
Randy Bush ra...@psg.com writes:
you might like (thanks smb, or was it sra)
openssl s_client -connect google\.com:443 -tlsextdebug 21| grep 'server
extension heartbeat (id=15)' || echo safe
protip: you have to run this from a device that actually is running
1.0.x, i.e. supports the
Just as a data point, I checked the servers I run and it's a good thing
I didn't reflexively update them first.
On Centos 6.0, the default openssl is 1.0.0 which supposedly doesn't
have the vulnerability, but the
ones queued up for update do. I assume that redhat will get the patched
version
The updated CentOS openssl binaries haven't patched the underlying bug, but
they have disabled the heartbeat functionality. By doing so, they've
disabled the attack vector. Once upstream releases a fix, they will
re-enable the heartbeat function with the working patch.
And yes, don't forget to
For testing, I've had good luck with
https://github.com/titanous/heartbleeder and
https://gist.github.com/takeshixx/10107280
Both are mostly platform-independent, so they should be able to work even
if you don't have a modern OpenSSL to test with.
Cheers and good luck (you're going to need it),
1.0.1 was not deployed until RHEL 6.5. RedHat released patches
for RHEL last night, and CentOS followed suit a few minutes
later.
-Original Message-
From: Michael Thomas [mailto:m...@mtcc.com]
Sent: Tuesday, April 08, 2014 12:03 PM
To: nanog@nanog.org
Subject: Re: Fwd: Serious bug
According to the changelog it cvs is fixed now.
$ rpm -qa|grep openssl
openssl-1.0.1e-16.el6_5.7.x86_64
openssl-devel-1.0.1e-16.el6_5.7.x86_64
Tue Apr 8 12:17:25 EDT 2014
Z643357:~
$ rpm -q --changelog openssl | less
* Mon Apr 07 2014 Tomás( Mráz tm...@redhat.com 1.0.1e-16.7
- fix CVE-2014-0160
OK, now... it's far too late for April Fool's. :(
That's scary as heck. :(Guess I know what the first order of
business will be tomorrow...
- Pete
On 4/8/2014 1:06 AM, Paul Ferguson wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
I'm really surprised no one has mentioned this
9 matches
Mail list logo
