Re: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability

2014-04-08 Thread Pat Riehecky

The updated package should be available now.

Pat

On 04/08/2014 05:43 AM, Adam Bishop wrote:

Good Morning,

I’ve not seen a fixed OpenSSL package drop into the repo’s as of yet.

Apologies for asking the question, but how quickly will this be packaged and 
made available (i.e. should I start building the package myself)?

Regards,

Adam Bishop
Systems Development Specialist

   gpg: 0x6609D460
 t: +44 (0)1235 822 245
  xmpp: ad...@jabber.dev.ja.net

Janet, the UK's research and education network.


Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
not-for-profit company which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238



--
Pat Riehecky

Scientific Linux developer
http://www.scientificlinux.org/


RE: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability

2014-04-08 Thread Bohmer, Andre ten
Yep it is and a heartbleed check now fails (don't forget to restart httpd and 
other  services which do relay on openssl)

Thanks!
Andre

> -Original Message-
> From: owner-scientific-linux-us...@listserv.fnal.gov [mailto:owner-
> scientific-linux-users@listserv.fnal.gov] On Behalf Of Pat Riehecky
> Sent: dinsdag 8 april 2014 16:10
> To: Adam Bishop; SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
> Subject: Re: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability
> 
> The updated package should be available now.
> 
> Pat
> 
> On 04/08/2014 05:43 AM, Adam Bishop wrote:
> > Good Morning,
> >
> > I’ve not seen a fixed OpenSSL package drop into the repo’s as of yet.
> >
> > Apologies for asking the question, but how quickly will this be packaged
> and made available (i.e. should I start building the package myself)?
> >
> > Regards,
> >
> > Adam Bishop
> > Systems Development Specialist
> >
> >gpg: 0x6609D460
> >  t: +44 (0)1235 822 245
> >   xmpp: ad...@jabber.dev.ja.net
> >
> > Janet, the UK's research and education network.
> >
> >
> > Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
> > not-for-profit company which is registered in England under No.
> > 2881024 and whose Registered Office is at Lumen House, Library Avenue,
> > Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
> 
> 
> --
> Pat Riehecky
> 
> Scientific Linux developer
> http://www.scientificlinux.org/



Re: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability

2014-04-08 Thread Adam Bishop
On 8 Apr 2014, at 15:10, Pat Riehecky  wrote:
> 
> The updated package should be available now.

Brilliant, thanks for update.

Regards,

Adam Bishop

  gpg: 0x6609D460

Janet, the UK's research and education network.



Janet(UK) is a trading name of Jisc Collections and Janet Limited, a 
not-for-profit company which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238


Re: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability

2014-04-08 Thread Steven Miano
The advise so far is to not only patch up, and restart services/hosts; but
to also revoke the certs and create new ones.

As the vulnerability left no trace of its happenings in any logs - and
someone who was actively exploiting it could still use the private key or
other ill begot materials.

Just a heads up.

RHEL/SL/Ubuntu/etc really aren't the big cause for concern (in many cases),
but more so the appliances that many enterprises use/buy/deploy..


On Tue, Apr 8, 2014 at 10:47 AM, Adam Bishop  wrote:

> On 8 Apr 2014, at 15:10, Pat Riehecky  wrote:
> >
> > The updated package should be available now.
>
> Brilliant, thanks for update.
>
> Regards,
>
> Adam Bishop
>
>   gpg: 0x6609D460
>
> Janet, the UK's research and education network.
>
>
>
> Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
> not-for-profit company which is registered in England under No. 2881024
> and whose Registered Office is at Lumen House, Library Avenue,
> Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
>



-- 
 Miano, Steven M.
http://stevenmiano.com


RE: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability

2014-04-08 Thread peter.chiu
x.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite.bz2:
 [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 416 Unknown"
Trying other mirror.
ftp://ftp.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite.bz2:
 [Errno -1] Metadata file does not match checksum
Trying other mirror.
Error: failure: repodata/primary.sqlite.bz2 from sl-security: [Errno 256] No 
more mirrors to try.
[root@geant ~]#


-Original Message-
From: Pat Riehecky [mailto:riehe...@fnal.gov] 
Sent: 08 April 2014 15:10
To: Adam Bishop; SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Subject: Re: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability

The updated package should be available now.

Pat

On 04/08/2014 05:43 AM, Adam Bishop wrote:
> Good Morning,
>
> I’ve not seen a fixed OpenSSL package drop into the repo’s as of yet.
>
> Apologies for asking the question, but how quickly will this be packaged and 
> made available (i.e. should I start building the package myself)?
>
> Regards,
>
> Adam Bishop
> Systems Development Specialist
>
>gpg: 0x6609D460
>  t: +44 (0)1235 822 245
>   xmpp: ad...@jabber.dev.ja.net
>
> Janet, the UK's research and education network.
>
>
> Janet(UK) is a trading name of Jisc Collections and Janet Limited, a 
> not-for-profit company which is registered in England under No. 
> 2881024 and whose Registered Office is at Lumen House, Library Avenue, 
> Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238


--
Pat Riehecky

Scientific Linux developer
http://www.scientificlinux.org/


Re: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability

2014-04-08 Thread Pat Riehecky
qlite.
bz2: [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 416 
Unknown"
Trying other mirror.
http://ftp2.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite.bz2:
 [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 416 Unknown"
Trying other mirror.
ftp://ftp.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite.bz2:
 [Errno -1] Metadata file does not match checksum
Trying other mirror.
Error: failure: repodata/primary.sqlite.bz2 from sl-security: [Errno 256] No 
more mirrors to try.
[root@geant ~]#


-Original Message-
From: Pat Riehecky [mailto:riehe...@fnal.gov]
Sent: 08 April 2014 15:10
To: Adam Bishop; SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Subject: Re: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability

The updated package should be available now.

Pat

On 04/08/2014 05:43 AM, Adam Bishop wrote:

Good Morning,

I’ve not seen a fixed OpenSSL package drop into the repo’s as of yet.

Apologies for asking the question, but how quickly will this be packaged and 
made available (i.e. should I start building the package myself)?

Regards,

Adam Bishop
Systems Development Specialist

gpg: 0x6609D460
  t: +44 (0)1235 822 245
   xmpp: ad...@jabber.dev.ja.net

Janet, the UK's research and education network.


Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
not-for-profit company which is registered in England under No.
2881024 and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238


--
Pat Riehecky

Scientific Linux developer
http://www.scientificlinux.org/



--
Pat Riehecky

Scientific Linux developer
http://www.scientificlinux.org/


RE: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability

2014-04-08 Thread peter.chiu
Thanks, Pat,

From a web browser, I can see the updates openssl-1.0.1e-16.el6_5.7.x86_64.rpm  
under:
http://ftp.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/

So your updates are there,  but my yum installation could not reach them.

I have tried: yum clean expire-cache; yum repolist still reports the errors:

http://ftp.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite.bz2:
 [Errno -1] Metadata file does not match checksum
Trying other mirror.
http://ftp1.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite.bz2
  [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 416 Unknown"
Trying other mirror.

I did try yum clean metadata, no joy.

I have also tried wget:
[root@geant ~]# wget 
http://ftp.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite.bz
--2014-04-08 16:45:08--  
http://ftp.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite.bz
Resolving wwwcache.rl.ac.uk... 130.246.132.179
Connecting to wwwcache.rl.ac.uk|130.246.132.179|:8080... connected.
Proxy request sent, awaiting response... 404 Not Found
2014-04-08 16:45:08 ERROR 404: Not Found.

Any idea?

Peter


-Original Message-
From: Pat Riehecky [mailto:riehe...@fnal.gov] 
Sent: 08 April 2014 16:05
To: Chiu, Peter (STFC,RAL,RALSP); SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Subject: Re: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability

H.

I'll run another fsync to make sure everything is down on disk.

Can I have you run:

yum clean expire-cache

And try another yum check-update?

Pat

On 04/08/2014 10:00 AM, peter.c...@stfc.ac.uk wrote:
> Hello Pat,
>
> Just tried yum clean all; yum repolist; yum check-update
>
> but not show for the latest OpenSSL fixes.
> Is there a particular repository to use?
>
> Regards,
> Peter
> 
> [root@geant ~]# yum clean all; yum repolist; yum check-update Loaded 
> plugins: refresh-packagekit, security Cleaning repos: atrpms elrepo 
> epel rpmforge sl sl-security sl6x sl6x-security Cleaning up Everything 
> Loaded plugins: refresh-packagekit, security
> atrpms
> | 3.5 kB 00:00
> atrpms/primary_db 
> | 1.7 MB 00:00
> elrepo
> | 2.9 kB 00:00
> elrepo/primary_db 
> | 612 kB 00:00
> epel/metalink 
> |  25 kB 00:00
> epel  
> | 4.4 kB 00:00
> epel/primary_db   
> | 6.0 MB 00:00
> rpmforge  
> | 1.9 kB 00:00
> rpmforge/primary_db   
> | 2.7 MB 00:00
> sl
> | 3.6 kB 00:00
> sl/primary_db 
> | 4.1 MB 00:00
> sl-security   
> | 3.0 kB 00:00
> sl-security/primary_db
> | 1.9 MB 00:00
> http://ftp.scientificlinux.org/linux/scientific/6.5/x86_64/updates/sec
> urity/repodata/primary.sqlite.z2: [Errno -1] Metadata file does not match 
> checksum Trying other mirror.
> http://ftp1.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite
>  bz2: [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 416 
> Unknown"
> Trying other mirror.
> http://ftp2.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite
>  bz2: [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 416 
> Unknown"
> Trying other mirror.
> ftp://ftp.scientificlinux.org/linux/scientific/6.5/x86_64/updates/secu
> rity/repodata/primary.sqlite.b 2: [Errno -1] Metadata file does not match 
> checksum Trying other mirror.
> sl-security/primary_db
> | 1.9 MB 00:00
> http://ftp.scientificlinux.org/linux/scientific/6.5/x86_64/updates/sec
> urity/repodata/primary.sqlite. z2: [Errno -1] Metadata file does not match 
> checksum Trying other mirror.
> http://ftp1.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite
>  bz2: [Errno 14] PYCURL ERROR 22 - "The requ

RE: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability

2014-04-08 Thread peter.chiu
Hello Pat,

With the help by an local admin, this mystery is solved by adding this entry in 
/etc/yum.conf:

http_caching=packages

If I understand this correctly, this entry will enable the software packages to 
be cached by the site web cache, but
not the metadata.

yum update now show the openssl updates.

Thanks.
Regards,
Peter

-Original Message-
From: Chiu, Peter (STFC,RAL,RALSP) 
Sent: 08 April 2014 16:51
To: Pat Riehecky; SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Cc: Chiu, Peter (STFC,RAL,RALSP)
Subject: RE: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability

Thanks, Pat,

From a web browser, I can see the updates openssl-1.0.1e-16.el6_5.7.x86_64.rpm  
under:
http://ftp.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/

So your updates are there,  but my yum installation could not reach them.

I have tried: yum clean expire-cache; yum repolist still reports the errors:

http://ftp.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite.bz2:
 [Errno -1] Metadata file does not match checksum Trying other mirror.
http://ftp1.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite.bz2
  [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 416 Unknown"
Trying other mirror.

I did try yum clean metadata, no joy.

I have also tried wget:
[root@geant ~]# wget 
http://ftp.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite.bz
--2014-04-08 16:45:08--  
http://ftp.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite.bz
Resolving wwwcache.rl.ac.uk... 130.246.132.179 Connecting to 
wwwcache.rl.ac.uk|130.246.132.179|:8080... connected.
Proxy request sent, awaiting response... 404 Not Found
2014-04-08 16:45:08 ERROR 404: Not Found.

Any idea?

Peter


-Original Message-
From: Pat Riehecky [mailto:riehe...@fnal.gov]
Sent: 08 April 2014 16:05
To: Chiu, Peter (STFC,RAL,RALSP); SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Subject: Re: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability

H.

I'll run another fsync to make sure everything is down on disk.

Can I have you run:

yum clean expire-cache

And try another yum check-update?

Pat

On 04/08/2014 10:00 AM, peter.c...@stfc.ac.uk wrote:
> Hello Pat,
>
> Just tried yum clean all; yum repolist; yum check-update
>
> but not show for the latest OpenSSL fixes.
> Is there a particular repository to use?
>
> Regards,
> Peter
> 
> [root@geant ~]# yum clean all; yum repolist; yum check-update Loaded
> plugins: refresh-packagekit, security Cleaning repos: atrpms elrepo 
> epel rpmforge sl sl-security sl6x sl6x-security Cleaning up Everything 
> Loaded plugins: refresh-packagekit, security
> atrpms
> | 3.5 kB 00:00
> atrpms/primary_db 
> | 1.7 MB 00:00
> elrepo
> | 2.9 kB 00:00
> elrepo/primary_db 
> | 612 kB 00:00
> epel/metalink 
> |  25 kB 00:00
> epel  
> | 4.4 kB 00:00
> epel/primary_db   
> | 6.0 MB 00:00
> rpmforge  
> | 1.9 kB 00:00
> rpmforge/primary_db   
> | 2.7 MB 00:00
> sl
> | 3.6 kB 00:00
> sl/primary_db 
> | 4.1 MB 00:00
> sl-security   
> | 3.0 kB 00:00
> sl-security/primary_db
> | 1.9 MB 00:00
> http://ftp.scientificlinux.org/linux/scientific/6.5/x86_64/updates/sec
> urity/repodata/primary.sqlite.z2: [Errno -1] Metadata file does not match 
> checksum Trying other mirror.
> http://ftp1.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite
>  bz2: [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 416 
> Unknown"
> Trying other mirror.
> http://ftp2.scientificlinux.org/linux/scientific/6.5/x86_64/updates/security/repodata/primary.sqlite
>  bz2: [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 416 
> Unknown"
> Trying other mirror.
> ftp://ftp.sci

Re: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability

2014-04-08 Thread Kelsey Cummings
On 4/8/2014 7:10 AM, Pat Riehecky wrote:
> The updated package should be available now.

Pat, can you clarify if this is the Real Fix from the upstream or just a
build with with heartbeats disabled.  I grabbed the Centos quick fix and
pushed it out to all of our SL systems last night in part since their
announcement stated that their package versioning would be overridden
when the upstream released the fix.  Just trying to figure out if I have
to force the new one out or if there's going to be another version bump
soon.

-- 
Kelsey Cummings - k...@corp.sonic.net  sonic.net, inc.
System Architect  2260 Apollo Way
707.522.1000  Santa Rosa, CA 95407


Re: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability

2014-04-08 Thread Jamie Duncan
CentOS hacked up a fix that disabled the feature prior to Red Hat pushing
the official errata. CentOS replaced the hack ~90 minutes later. FWIW


On Tue, Apr 8, 2014 at 1:28 PM, Kelsey Cummings  wrote:

> On 4/8/2014 7:10 AM, Pat Riehecky wrote:
> > The updated package should be available now.
>
> Pat, can you clarify if this is the Real Fix from the upstream or just a
> build with with heartbeats disabled.  I grabbed the Centos quick fix and
> pushed it out to all of our SL systems last night in part since their
> announcement stated that their package versioning would be overridden
> when the upstream released the fix.  Just trying to figure out if I have
> to force the new one out or if there's going to be another version bump
> soon.
>
> --
> Kelsey Cummings - k...@corp.sonic.net  sonic.net, inc.
> System Architect  2260 Apollo Way
> 707.522.1000  Santa Rosa, CA 95407
>



-- 
Thanks,

Jamie Duncan
@jamieeduncan


Re: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability

2014-04-08 Thread Jeffrey Anderson
Is SL5 vulnerable, and will there be a patch?




On Tue, Apr 8, 2014 at 7:10 AM, Pat Riehecky  wrote:

> The updated package should be available now.
>
> Pat
>
>
> On 04/08/2014 05:43 AM, Adam Bishop wrote:
>
>> Good Morning,
>>
>> I've not seen a fixed OpenSSL package drop into the repo's as of yet.
>>
>> Apologies for asking the question, but how quickly will this be packaged
>> and made available (i.e. should I start building the package myself)?
>>
>> Regards,
>>
>> Adam Bishop
>> Systems Development Specialist
>>
>>gpg: 0x6609D460
>>  t: +44 (0)1235 822 245
>>   xmpp: ad...@jabber.dev.ja.net
>>
>> Janet, the UK's research and education network.
>>
>>
>> Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
>> not-for-profit company which is registered in England under No. 2881024
>> and whose Registered Office is at Lumen House, Library Avenue,
>> Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
>>
>
>
> --
> Pat Riehecky
>
> Scientific Linux developer
> http://www.scientificlinux.org/
>



-- 
--
Jeffrey Anderson| jdander...@lbl.gov
Lawrence Berkeley National Laboratory   |
Office: 50A-5104E   | Mailstop 50A-5101
Phone: 510 486-4208 | Fax: 510 486-4204


Re: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability

2014-04-08 Thread Jamie Duncan
The bug was only applicable to RHEL/CentOS/OEL/SL 6.5+
https://access.redhat.com/site/solutions/781793



On Tue, Apr 8, 2014 at 1:36 PM, Jeffrey Anderson  wrote:

> Is SL5 vulnerable, and will there be a patch?
>
>
>
>
> On Tue, Apr 8, 2014 at 7:10 AM, Pat Riehecky  wrote:
>
>> The updated package should be available now.
>>
>> Pat
>>
>>
>> On 04/08/2014 05:43 AM, Adam Bishop wrote:
>>
>>> Good Morning,
>>>
>>> I've not seen a fixed OpenSSL package drop into the repo's as of yet.
>>>
>>> Apologies for asking the question, but how quickly will this be packaged
>>> and made available (i.e. should I start building the package myself)?
>>>
>>> Regards,
>>>
>>> Adam Bishop
>>> Systems Development Specialist
>>>
>>>gpg: 0x6609D460
>>>  t: +44 (0)1235 822 245
>>>   xmpp: ad...@jabber.dev.ja.net
>>>
>>> Janet, the UK's research and education network.
>>>
>>>
>>> Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
>>> not-for-profit company which is registered in England under No. 2881024
>>> and whose Registered Office is at Lumen House, Library Avenue,
>>> Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
>>>
>>
>>
>> --
>> Pat Riehecky
>>
>> Scientific Linux developer
>> http://www.scientificlinux.org/
>>
>
>
>
> --
> --
> Jeffrey Anderson| jdander...@lbl.gov
> Lawrence Berkeley National Laboratory   |
> Office: 50A-5104E   | Mailstop 50A-5101
> Phone: 510 486-4208 | Fax: 510 486-4204
>



-- 
Thanks,

Jamie Duncan
@jamieeduncan


Re: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability

2014-04-08 Thread Pat Riehecky

On 04/08/2014 12:28 PM, Kelsey Cummings wrote:

On 4/8/2014 7:10 AM, Pat Riehecky wrote:

The updated package should be available now.

Pat, can you clarify if this is the Real Fix from the upstream or just a
build with with heartbeats disabled.  I grabbed the Centos quick fix and
pushed it out to all of our SL systems last night in part since their
announcement stated that their package versioning would be overridden
when the upstream released the fix.  Just trying to figure out if I have
to force the new one out or if there's going to be another version bump
soon.


The SL package is the official fix from upstream.

Pat

--
Pat Riehecky

Scientific Linux developer
http://www.scientificlinux.org/


Re: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability

2014-04-08 Thread Patrick J. LoPresti
On Tue, Apr 8, 2014 at 10:36 AM, Jeffrey Anderson  wrote:
> Is SL5 vulnerable, and will there be a patch?

RHEL / CentOS / SL 5.x ship with OpenSSL 0.9.8(x), which is NOT vulnerable.

 - Pat


Re: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability

2014-04-08 Thread Kelsey Cummings
On 4/8/2014 10:43 AM, Pat Riehecky wrote:
> The SL package is the official fix from upstream.

Thanks for the clarification Pat.

-- 
Kelsey Cummings - k...@corp.sonic.net  sonic.net, inc.
System Architect  2260 Apollo Way
707.522.1000  Santa Rosa, CA 95407


Re: [SCIENTIFIC-LINUX-USERS] OpenSSL Vulnerability

2014-04-08 Thread P. Larry Nelson

In case this helps, here's what our campus security folks sent out this morning.

==

Mitigation:
"Affected users should upgrade to OpenSSL 1.0.1g. Users unable to
immediately upgrade can alternatively recompile OpenSSL with
- -DOPENSSL_NO_HEARTBEATS."

Quick remote test for potential vulnerability (from linux):
echo ""|openssl s_client -connect $MYHOST:443 -tlsextdebug 2>&1 \
 | egrep 'heartbeat'

An example response of a potentially vulnerable host would be:
TLS server extension "heartbeat" (id=15), len=1

Quick local check for vulnerability:
openssl version -a
Any version other than 1.0.1 through 1.0.1f should be safe. In any
1.0.1 version if the -DOPENSSL_NO_HEARTBEATS flag listed in the
compiler flags that should mean you're safe.

Spot check:

openssl version -a| grep -oE '1.0.1[a-g]{1}?|DOPENSSL_NO_HEARTBEATS'

This should give you the version, if it's 1.0.1, and if the
OPENSSL_NO_HEARTBEATS was listed.

Adding to the spot checks above, once you patch with the official
patches from Ubuntu/Debian/RHEL these simple openssl checks will still
show the heartbeat extension enabled but it shouldn't be vulnerable
anymore. If you have access to Qualys for scanning, the QID for
scanning for this vulnerability is 42430.

The http://heartbleed.com/ site recommends re-issuing certificates
in case of prior compromise of existing private keys as there is no
way to differentiate from normal traffic.

We are recommending to our users to do this as well as any credentials
used over the SSL connection, especially in the last few days. The
vulnerability is easily exploitable and a few tests have returned
valid session cookies at the very least. Supposedly the server's
private key can be exposed as well. Passively there's no way to
determine if this is being exploited. I haven't had time to test with
debugging enabled.

===


Jamie Duncan wrote on 4/8/2014 12:44 PM:

The bug was only applicable to RHEL/CentOS/OEL/SL 6.5+
https://access.redhat.com/site/solutions/781793



On Tue, Apr 8, 2014 at 1:36 PM, Jeffrey Anderson mailto:jdander...@lbl.gov>> wrote:

Is SL5 vulnerable, and will there be a patch?




On Tue, Apr 8, 2014 at 7:10 AM, Pat Riehecky mailto:riehe...@fnal.gov>> wrote:

The updated package should be available now.

Pat


On 04/08/2014 05:43 AM, Adam Bishop wrote:

Good Morning,

I’ve not seen a fixed OpenSSL package drop into the repo’s as of 
yet.

Apologies for asking the question, but how quickly will this be
packaged and made available (i.e. should I start building the
package myself)?

Regards,

Adam Bishop
Systems Development Specialist

gpg: 0x6609D460
  t: +44 (0)1235 822 245 
   xmpp: ad...@jabber.dev.ja.net 

Janet, the UK's research and education network.


Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
not-for-profit company which is registered in England under No. 
2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238



--
Pat Riehecky

Scientific Linux developer
http://www.scientificlinux.__org/ 




--
--
Jeffrey Anderson| jdander...@lbl.gov

Lawrence Berkeley National Laboratory   |
Office: 50A-5104E   | Mailstop 50A-5101
Phone: 510 486-4208  | Fax: 510
486-4204 




--
Thanks,

Jamie Duncan
@jamieeduncan




--
P. Larry Nelson (217-244-9855) | Systems/Network Administrator
461 Loomis Lab | High Energy Physics Group
1110 W. Green St., Urbana, IL  | Physics Dept., Univ. of Ill.
MailTo:lnel...@illinois.edu| http://www.roadkill.com/lnelson/
---
 "Information without accountability is just noise."  - P.L. Nelson