Serious OpenSSL bug renders websites wide open
Forum rules
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 6 months after creation.
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 6 months after creation.
Re: Serious OpenSSL bug renders websites wide open
As other people have already reported it,
In Mint 13 LTS and Mint 16, OpenSSL was already updated under the influence of an Ubuntu revolving dibird.
However, LMDE puts a revolving dibird originally (debian.linuxmint.com),
but update of OpenSSL has not been yet carried out.
In much distribution, update has been already completed. The person concerned should hurry update.
In Mint 13 LTS and Mint 16, OpenSSL was already updated under the influence of an Ubuntu revolving dibird.
However, LMDE puts a revolving dibird originally (debian.linuxmint.com),
but update of OpenSSL has not been yet carried out.
In much distribution, update has been already completed. The person concerned should hurry update.
Re: Serious OpenSSL bug renders websites wide open
One question:
I am using LM XFCE 16 as a desktop, not a server. Do I need to update my system?
Sheng-Chieh
I am using LM XFCE 16 as a desktop, not a server. Do I need to update my system?
Sheng-Chieh
Re: Serious OpenSSL bug renders websites wide open
For the average user who's not running any server accessible from outside which is also using SSL, there is no urgent need to upgrade openssl. Nor do you solve any issues by upgrading.
Re: Serious OpenSSL bug renders websites wide open
I agree that it is necessary to hurry update when a PC performs the server use.
However, the connected case exists by the client use for a long time recently in SSL.
Oneself judges that even this state is high-risk.
However, the connected case exists by the client use for a long time recently in SSL.
Oneself judges that even this state is high-risk.
Re: Serious OpenSSL bug renders websites wide open
I confirmed that OpenSSL was updated in debian.linuxmint.com about LMDE.
I classified these details into the other article:
http://forums.linuxmint.com/viewtopic.p ... 14#p845814
I classified these details into the other article:
http://forums.linuxmint.com/viewtopic.p ... 14#p845814
-
- Level 7
- Posts: 1517
- Joined: Wed Jul 31, 2013 6:29 pm
- Location: Kalamazoo, MI
Re: Serious OpenSSL bug renders websites wide open
Details of coding error
Summary: ( this is my understanding of the nature of the error )
The attacker (client,-- read "you") -- sends a WRONG LENGTH record to the server. the error record contains a "payload" of 1 byte but states that the payload is 65535 bytes in length. As I understand it OpenSSL is supposed to return the payload to the client -- as the "heartbeat" -- essentially to verify that the communication link has not been mis-directed in any way
As I understand it now, the OpenSSL fails to check for a wrong length record, accepts the 65535 length as correct and sends a 65,538 payload back to the client. the"payload" obviously is not any data the client sent to the server, so what is it?
we used to call this "main storage roulette" -- you don't know what will be found in the data sent -- it's just a memory over-run. a beginner's mistake: an experienced programer never trusts anything that is sent to him to effect program control -- which in this case the bad value for the length of the payload does exactly that.
you do have to trust values posted to you by your own IOS -- but not anything in the input data.
Response:
the response needs to be made by the folks running servers. after they have fixed their OpenSSL package then you should change your password. this would be important for any site dealing with money.
Notes:
I got my OpenSSL fix this morning
Summary: ( this is my understanding of the nature of the error )
The attacker (client,-- read "you") -- sends a WRONG LENGTH record to the server. the error record contains a "payload" of 1 byte but states that the payload is 65535 bytes in length. As I understand it OpenSSL is supposed to return the payload to the client -- as the "heartbeat" -- essentially to verify that the communication link has not been mis-directed in any way
As I understand it now, the OpenSSL fails to check for a wrong length record, accepts the 65535 length as correct and sends a 65,538 payload back to the client. the"payload" obviously is not any data the client sent to the server, so what is it?
we used to call this "main storage roulette" -- you don't know what will be found in the data sent -- it's just a memory over-run. a beginner's mistake: an experienced programer never trusts anything that is sent to him to effect program control -- which in this case the bad value for the length of the payload does exactly that.
you do have to trust values posted to you by your own IOS -- but not anything in the input data.
Response:
the response needs to be made by the folks running servers. after they have fixed their OpenSSL package then you should change your password. this would be important for any site dealing with money.
Notes:
I got my OpenSSL fix this morning
¡Viva la Resistencia!
Re: Serious OpenSSL bug renders websites wide open
Hi, Mike.
Yes, the problem is/was that vulnerable servers can be made to return up to 64k of potentially confidential data. Such data may contain anything including logon credentials in clear text.
It is also true what some user stated in a previous post:
Updating our client machines to a bugfixed version of openSSL is fine. But it will not make us much safer because we might communicate with servers on the net which are still using a vulnerable openSSL version.
Life on the remains risky.
Cheer,
Karl
Yes, the problem is/was that vulnerable servers can be made to return up to 64k of potentially confidential data. Such data may contain anything including logon credentials in clear text.
It is also true what some user stated in a previous post:
Updating our client machines to a bugfixed version of openSSL is fine. But it will not make us much safer because we might communicate with servers on the net which are still using a vulnerable openSSL version.
Life on the remains risky.
Cheer,
Karl
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 762 days now.
Lifeline
Re: Serious OpenSSL bug renders websites wide open
More important Karl, even if all systems are updated, you don't know what was stolen (if anything was stolen)...
Amazon was reported not to be concerned. But if it was for example, thousand of card number can be out there...
Amazon was reported not to be concerned. But if it was for example, thousand of card number can be out there...
Re: Serious OpenSSL bug renders websites wide open
Correction: AIUI now, even clients can have some memory stolen if connected to a malicious server. I was worried when I saw I had openssl 1.0.1c on my Mint 14 and not 1.0.1g but then I see it's 1.0.1c-3ubuntu2.7 which has the required patch.
Re: Serious OpenSSL bug renders websites wide open
Hi there,
I'm a newbie so I'm big time concerned about the heartbleed bug. I noticed I have a pending request to update the openSSL to 1.0.1e-3ubuntu1.2 but it's marked as Level 3.
Is it safe to run this update?!
Thanks!!!
I'm a newbie so I'm big time concerned about the heartbleed bug. I noticed I have a pending request to update the openSSL to 1.0.1e-3ubuntu1.2 but it's marked as Level 3.
Is it safe to run this update?!
Thanks!!!
Re: Serious OpenSSL bug renders websites wide open
Thanks so much killer de bug,
Would I need to be worry about any security issue on my Linux Mint 16 or this update should fix the vulnerability to the bug?
And just to be clear, Level 3 updates are then safe?!
Thanks again!!!
Would I need to be worry about any security issue on my Linux Mint 16 or this update should fix the vulnerability to the bug?
And just to be clear, Level 3 updates are then safe?!
Thanks again!!!
Re: Serious OpenSSL bug renders websites wide open
Level 1 2 3 are safe.
And this fix is enough for you to stop worrying
And this fix is enough for you to stop worrying
-
- Level 7
- Posts: 1517
- Joined: Wed Jul 31, 2013 6:29 pm
- Location: Kalamazoo, MI
Re: Serious OpenSSL bug renders websites wide open
The(predictable) response begins
(excerpt)
so don't take anything I post the wrong way. Heartbleed is a serious slip. but it could have been prevented. If Torvalds was here I'm sure he'd agree with my note regarding allowing user input data to control execution of a program. it's a no-no and it's been a no-no since computers came into general use in the 1960s or roughly thereabouts. how many bugs have been attributed to buffer over-run ?
Early Discovery of Heartbleed
excerpt
(excerpt)
i don't buy any of their crap. I stand absolutely with the whole OpenSource/Linux concept and project.The sad truth is that open source software — which underpins vast swathes of the net — has a serious sustainability problem.
so don't take anything I post the wrong way. Heartbleed is a serious slip. but it could have been prevented. If Torvalds was here I'm sure he'd agree with my note regarding allowing user input data to control execution of a program. it's a no-no and it's been a no-no since computers came into general use in the 1960s or roughly thereabouts. how many bugs have been attributed to buffer over-run ?
Early Discovery of Heartbleed
excerpt
Before hanging up, Chartier instructed one of the Finnish engineers to write an exploit code to take advantage of Codenomicon‘s own site. Basically, Chartier wanted to see what, exactly, a hacker could get if they knew about the bug.
“We attacked ourselves,” Chartier says. The results freaked him out. The team realized they were able to access a user’s memory, encryption keys, usernames and passwords—”plus a lot of other stuff that we don’t want to mention,” Chartier says. “We saw how serious it was.”
Last edited by mike acker on Fri Apr 11, 2014 7:52 am, edited 1 time in total.
¡Viva la Resistencia!
Re: Serious OpenSSL bug renders websites wide open
FUD as usual... What would they say about heavily funded crappy obscure bloated unsecure-by-design proprietary software like... Flash
-
- Level 7
- Posts: 1517
- Joined: Wed Jul 31, 2013 6:29 pm
- Location: Kalamazoo, MI
Re: Serious OpenSSL bug renders websites wide open
absolutelyeanfrid wrote:FUD as usual... What would they say about heavily funded crappy obscure bloated unsecure-by-design proprietary software like... Flash
i see this as a rare problem in the OpenSource/Linux venue. unfortunate, but rare. I think OpenSource/Linux does much better than its commercial alternatives.
Adobe/Flash is the worst; it gets patched so often it makes Whac-a-Mole look like a gimmie.
¡Viva la Resistencia!
Re: Serious OpenSSL bug renders websites wide open
Through the Linux Foundation's Core Infrastructure Initiative, OpenSSL has just received funding for two full-time developers and the Open Crypto Audit Project will receive funding to conduct a security audit of OpenSSL: http://www.linuxfoundation.org/news-med ... ounces-new
Re: Serious OpenSSL bug renders websites wide open
This is a really good news. I bet a few security fixes will come in the next month for security breaches we are not aware at the moment
This looks so strange when I read it...Adobe
"Adobe believes that open development and open source software are fundamental building blocks for software development," said Dave McAllister, director of open source at Adobe. “The Core Infrastructure Initiative allows us to extend our support through a neutral forum that can prioritize underfunded yet critical projects. We’re excited to be a part of this work.”
Re: Serious OpenSSL bug renders websites wide open
Adobe actively develops open source software (http://html.adobe.com/opensource/). They do a lot more than Flash.