Serious OpenSSL bug renders websites wide open

Chat about Linux in general
Forum rules
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 6 months after creation.
mike acker
Level 7
Level 7
Posts: 1517
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Serious OpenSSL bug renders websites wide open

Post by mike acker »

Serious OpenSSL bug renders websites wide open

i often wonder what goes on in the heads of programmers who make these errors. if you have time to write an instruction you have time to check it under de-bug. if i remember rightly that's what the honorable Prof.dr. Edsger W. Dijkstra. called for in his NOTES ON STRUCTURED PROGRAMMING. A colleague of mine and I tried this approach on 1 project . it worked.
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
¡Viva la Resistencia!
User avatar
peyrol
Level 3
Level 3
Posts: 132
Joined: Sun Nov 25, 2012 1:51 am
Location: Lexington VA USA

Re: Serious OpenSSL bug renders websites wide open

Post by peyrol »

Here's another link. http://arstechnica.com/security/2014/04 ... sdropping/
Should I change all my passwords?
mike acker
Level 7
Level 7
Posts: 1517
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: Serious OpenSSL bug renders websites wide open

Post by mike acker »

peyrol wrote:Here's another link. http://arstechnica.com/security/2014/04 ... sdropping/
Should I change all my passwords?
i think the patch will be out sometime today or tomorrow

remember: this hack is kinda far out -- for the moment* our situation remains that "phishing" is the most common compromise. In "phishing" the attacker sends some kind of bait -- called a "Trojan" (after the Spartans used a Trojan Horse in attacking Athens )

the trojan is something tempting -- a free copy of a game -- px of some little hottie -- and then the victim does himself in by authorizing the trojan

about 2/3 of today's hacks are done with "phishing" and "trojans" . the key to defense is : AUTHENTICATE

still, there's way too much loose software around......

Government breaches under reported by millions
The GAO's Wilshusen told the Senate that information security incidents reported by federal agencies grew from about 30 million in 2009 to over 61 million in 2013.
Suggested reading: David Rice: Geekonomics: The Real Cost of Insecure Software

IMHO insecure software is unacceptable for any purpose.
¡Viva la Resistencia!
kurotsugi

Re: Serious OpenSSL bug renders websites wide open

Post by kurotsugi »

the patch is already issued. it depends on your distro when will you get the update.
User avatar
peyrol
Level 3
Level 3
Posts: 132
Joined: Sun Nov 25, 2012 1:51 am
Location: Lexington VA USA

Re: Serious OpenSSL bug renders websites wide open

Post by peyrol »

I have openssl 1.0.1e-4 from the Debian repository for LMDE. is that okay? Thanks very much.
eanfrid

Re: Serious OpenSSL bug renders websites wide open

Post by eanfrid »

Keep in mind that it is mostly a server-side issue. You can update your client libraries but this will not solve the bug if the server you connect to is still using a vulnerable ssl stack.

Edit: I dont' like very much the update and security model of LMDE with "update packs"... unless high priority fixes are available on the run, independently from the update packs schedule, you will have many pending security/critical or serious bugs that will remain unpatched until the next update pack (I hope to be wrong about security/important bugs handling in LMDE, though).
User avatar
I2k4
Level 5
Level 5
Posts: 784
Joined: Thu Feb 02, 2012 8:33 pm

Re: Serious OpenSSL bug renders websites wide open

Post by I2k4 »

Mint 16 XFCE: I noticed an openssl update this morning before reading about the big problem. Now I've checked and the April 8, 2014 update is version 1.0.1e which is not reported as being the safe iteration of 1.0.1, which is "g".

http://heartbleed.com/

What versions of the OpenSSL are affected?

Status of different versions:
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

Hopefully this is being followed up.
TRUST BUT VERIFY any advice from anybody, including me. Mint/Ubuntu user since 10.04 LTS. LM20 64 bit XFCE (Dell 1520). Dual boot LM20 XFCE / Win7 (Lenovo desktop and Acer netbook). Testing LM21.1 Cinnamon and XFCE Live for new Lenovo desktop.
eanfrid

Re: Serious OpenSSL bug renders websites wide open

Post by eanfrid »

There are two types of security patches: those issued with new (unstable) releases of the software (e.g 1.0.1g) and patches that are backported to current releases. The latter solution is applied at least to Debian stable and Ubuntu/Mint supported releases, while the former is applied to Debian Sid (unstable) and Testing afterwards.

Here is the changelog for LM16/Saucy:
openssl (1.0.1e-3ubuntu1.2) saucy-security; urgency=medium

* SECURITY UPDATE: side-channel attack on Montgomery ladder implementation
- debian/patches/CVE-2014-0076.patch: add and use constant time swap in
crypto/bn/bn.h, crypto/bn/bn_lib.c, crypto/ec/ec2_mult.c,
util/libeay.num.
- CVE-2014-0076
* SECURITY UPDATE: memory disclosure in TLS heartbeat extension
- debian/patches/CVE-2014-0160.patch: use correct lengths in
ssl/d1_both.c, ssl/t1_lib.c.
- CVE-2014-0160
-- Marc Deslauriers <email address hidden> Mon, 07 Apr 2014 15:43:47 -0400
=> don't worry :)
User avatar
I2k4
Level 5
Level 5
Posts: 784
Joined: Thu Feb 02, 2012 8:33 pm

Re: Serious OpenSSL bug renders websites wide open

Post by I2k4 »

Thanks. Today's update seemed more than just a coincidence, and I noticed it went from "3ubuntu1.1" to "3ubuntu1.2" - but the heartbleed site caused alarm.
TRUST BUT VERIFY any advice from anybody, including me. Mint/Ubuntu user since 10.04 LTS. LM20 64 bit XFCE (Dell 1520). Dual boot LM20 XFCE / Win7 (Lenovo desktop and Acer netbook). Testing LM21.1 Cinnamon and XFCE Live for new Lenovo desktop.
User avatar
xenopeek
Level 25
Level 25
Posts: 29507
Joined: Wed Jul 06, 2011 3:58 am

Re: Serious OpenSSL bug renders websites wide open

Post by xenopeek »

You can use http://filippo.io/Heartbleed/ to test SSL (https) websites you have an account on, whether they are still vulnerable.

If you have at least Go version 1.2, you can also build this command line tool and run the tests from your own machine: https://github.com/FiloSottile/Heartbleed. Unfortunately, Linux Mint comes with an older Go version so you can't use it on that. I extracted all https websites from my Firefox bookmarks and ran them all through this tool. So far, found three websites on which I have an account that are still vulnerable.

You could already change your password on websites that are not / no longer vulnerable, but look for communication from them on whether they were affected and when they will change their certificate. You're still vulnerable to MITM if they were affected and haven't changed their certificate yet after they patched OpenSSL.
Image
macrohard

Re: Serious OpenSSL bug renders websites wide open

Post by macrohard »

Yes the key is that if you update to the latest OpenSSL on an effective device, one needs to revoke the certificates they are using and be issued new certs.

I can also say that this also not only effects web-servers, but also VPN devices as well that are using effective versions of OpenSSL. So potentially, any SSL VPN can also be effected.

Untangle did post on its site that it is not effected by these issues (in relation to VPN capabilities) but I am aware that Juniper VPN devices are effected and Juniper is currently working on a fix on these as we speak.

https://support.untangle.com/hc/en-us/a ... /201956817

http://forums.juniper.net/t5/SSL-VPN/Pl ... d-p/237486
killer de bug

Re: Serious OpenSSL bug renders websites wide open

Post by killer de bug »

mike acker wrote: i often wonder what goes on in the heads of programmers who make these errors.
mike acker wrote: IMHO insecure software is unacceptable for any purpose.
Humble? Seriously? :shock:

You know, they are humans. And as every human, when they try something, they are likely to make mistakes.

But at the end of the day, they can fall a thousand of time, they will still be way ahead of guys like you, who speak but don't do anything. Sure you don't do any mistakes... :roll:
mike acker
Level 7
Level 7
Posts: 1517
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: Serious OpenSSL bug renders websites wide open

Post by mike acker »

¡Viva la Resistencia!
User avatar
karlchen
Level 23
Level 23
Posts: 18176
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: Serious OpenSSL bug renders websites wide open

Post by karlchen »

Hi, folks.

Only a few minutes ago, my Linux Mint 13 (state: Ubuntu 12.04.4) received among 24 other updates this one:

Code: Select all

openssl (1.0.1-4ubuntu5.12) precise-security; urgency=medium

  * SECURITY UPDATE: side-channel attack on Montgomery ladder implementation
    - debian/patches/CVE-2014-0076.patch: add and use constant time swap in
      crypto/bn/bn.h, crypto/bn/bn_lib.c, crypto/ec/ec2_mult.c,
      util/libeay.num.
    - CVE-2014-0076
  * SECURITY UPDATE: memory disclosure in TLS heartbeat extension
    - debian/patches/CVE-2014-0160.patch: use correct lengths in
      ssl/d1_both.c, ssl/t1_lib.c.
    - CVE-2014-0160

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 07 Apr 2014 15:45:14 -0400
May I assume this is the security update and bugfix which we all have been waiting for?
Then now might be the right time to watch carefully which software packages mintUpdate is offering you and check for this openssl update.
Hey, and do not forget to click the [Apply] button in mintUpdate. :wink:

Cheers,
Karl
Image
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 762 days now.
Lifeline
killer de bug

Re: Serious OpenSSL bug renders websites wide open

Post by killer de bug »

Ohhh strange. I thought Ubuntu had pushed fixes earlier yesterday. It was probably for Ubuntu 13.10. :)
eanfrid

Re: Serious OpenSSL bug renders websites wide open

Post by eanfrid »

@karlchen: your system seems a bit late on the update schedule: my LM13 was updated almost 2 days ago :)

At the moment, all major distros have already backported the patches to older versions than 1.0.1g.
User avatar
xenopeek
Level 25
Level 25
Posts: 29507
Joined: Wed Jul 06, 2011 3:58 am

Re: Serious OpenSSL bug renders websites wide open

Post by xenopeek »

eanfrid wrote:@karlchen: your system seems a bit late on the update schedule: my LM13 was updated almost 2 days ago :)
*mumble* *mumble* mirrors :)
Image
User avatar
karlchen
Level 23
Level 23
Posts: 18176
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: Serious OpenSSL bug renders websites wide open

Post by karlchen »

Hi, folks.

My Mint 13 is neither slow in updating, nor is it a mirroring issue, it is much more straight forward: The machine had not been up for 4 days. :lol:

Cheers,
Karl
Image
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 762 days now.
Lifeline
killer de bug

Re: Serious OpenSSL bug renders websites wide open

Post by killer de bug »

karlchen wrote: The machine had not been up for 4 days. :lol:
That's probably explain why you got update so late :lol:
Cage

Re: Serious OpenSSL bug renders websites wide open

Post by Cage »

After a long search I found a web site that has the cure for Mint 15. You run the commands from the terminal and it will update the Openssl to 1.0.1g. It worked fine on my Mint 15 KDE version without a hitch.
[Ubuntu] Upgrade OpenSSL to 1.0.1g – Heartbleed Bug – Urgent!
Posted on 6. April 2014

So, thats no joke: OpenSSL broke badly!
Here is the background: http://heartbleed.com/

And as there is no zero-hour-fix for Ubuntu (including 12.04 LTS…), I decided to take chances and overwrite my existing OpenSSL 1.0.1 with the new code. It worked out flawlessly – but your system could *REALLY* break. Thats as dirty as it possibly could get!

wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
tar -xvzf openssl-1.0.1g.tar.gz
cd openssl-1.0.1g/
./config --prefix=/usr
sudo make
sudo make test
sudo make install
Locked

Return to “Chat about Linux”