Serious OpenSSL bug renders websites wide open
Forum rules
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 6 months after creation.
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 6 months after creation.
-
- Level 7
- Posts: 1517
- Joined: Wed Jul 31, 2013 6:29 pm
- Location: Kalamazoo, MI
Serious OpenSSL bug renders websites wide open
Serious OpenSSL bug renders websites wide open
i often wonder what goes on in the heads of programmers who make these errors. if you have time to write an instruction you have time to check it under de-bug. if i remember rightly that's what the honorable Prof.dr. Edsger W. Dijkstra. called for in his NOTES ON STRUCTURED PROGRAMMING. A colleague of mine and I tried this approach on 1 project . it worked.
i often wonder what goes on in the heads of programmers who make these errors. if you have time to write an instruction you have time to check it under de-bug. if i remember rightly that's what the honorable Prof.dr. Edsger W. Dijkstra. called for in his NOTES ON STRUCTURED PROGRAMMING. A colleague of mine and I tried this approach on 1 project . it worked.
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
¡Viva la Resistencia!
Re: Serious OpenSSL bug renders websites wide open
Here's another link. http://arstechnica.com/security/2014/04 ... sdropping/
Should I change all my passwords?
Should I change all my passwords?
-
- Level 7
- Posts: 1517
- Joined: Wed Jul 31, 2013 6:29 pm
- Location: Kalamazoo, MI
Re: Serious OpenSSL bug renders websites wide open
i think the patch will be out sometime today or tomorrowpeyrol wrote:Here's another link. http://arstechnica.com/security/2014/04 ... sdropping/
Should I change all my passwords?
remember: this hack is kinda far out -- for the moment* our situation remains that "phishing" is the most common compromise. In "phishing" the attacker sends some kind of bait -- called a "Trojan" (after the Spartans used a Trojan Horse in attacking Athens )
the trojan is something tempting -- a free copy of a game -- px of some little hottie -- and then the victim does himself in by authorizing the trojan
about 2/3 of today's hacks are done with "phishing" and "trojans" . the key to defense is : AUTHENTICATE
still, there's way too much loose software around......
Government breaches under reported by millions
Suggested reading: David Rice: Geekonomics: The Real Cost of Insecure SoftwareThe GAO's Wilshusen told the Senate that information security incidents reported by federal agencies grew from about 30 million in 2009 to over 61 million in 2013.
IMHO insecure software is unacceptable for any purpose.
¡Viva la Resistencia!
Re: Serious OpenSSL bug renders websites wide open
the patch is already issued. it depends on your distro when will you get the update.
Re: Serious OpenSSL bug renders websites wide open
I have openssl 1.0.1e-4 from the Debian repository for LMDE. is that okay? Thanks very much.
Re: Serious OpenSSL bug renders websites wide open
Keep in mind that it is mostly a server-side issue. You can update your client libraries but this will not solve the bug if the server you connect to is still using a vulnerable ssl stack.
Edit: I dont' like very much the update and security model of LMDE with "update packs"... unless high priority fixes are available on the run, independently from the update packs schedule, you will have many pending security/critical or serious bugs that will remain unpatched until the next update pack (I hope to be wrong about security/important bugs handling in LMDE, though).
Edit: I dont' like very much the update and security model of LMDE with "update packs"... unless high priority fixes are available on the run, independently from the update packs schedule, you will have many pending security/critical or serious bugs that will remain unpatched until the next update pack (I hope to be wrong about security/important bugs handling in LMDE, though).
Re: Serious OpenSSL bug renders websites wide open
Mint 16 XFCE: I noticed an openssl update this morning before reading about the big problem. Now I've checked and the April 8, 2014 update is version 1.0.1e which is not reported as being the safe iteration of 1.0.1, which is "g".
http://heartbleed.com/
What versions of the OpenSSL are affected?
Status of different versions:
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
Hopefully this is being followed up.
http://heartbleed.com/
What versions of the OpenSSL are affected?
Status of different versions:
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
Hopefully this is being followed up.
TRUST BUT VERIFY any advice from anybody, including me. Mint/Ubuntu user since 10.04 LTS. LM20 64 bit XFCE (Dell 1520). Dual boot LM20 XFCE / Win7 (Lenovo desktop and Acer netbook). Testing LM21.1 Cinnamon and XFCE Live for new Lenovo desktop.
Re: Serious OpenSSL bug renders websites wide open
There are two types of security patches: those issued with new (unstable) releases of the software (e.g 1.0.1g) and patches that are backported to current releases. The latter solution is applied at least to Debian stable and Ubuntu/Mint supported releases, while the former is applied to Debian Sid (unstable) and Testing afterwards.
Here is the changelog for LM16/Saucy:
Here is the changelog for LM16/Saucy:
=> don't worryopenssl (1.0.1e-3ubuntu1.2) saucy-security; urgency=medium
* SECURITY UPDATE: side-channel attack on Montgomery ladder implementation
- debian/patches/CVE-2014-0076.patch: add and use constant time swap in
crypto/bn/bn.h, crypto/bn/bn_lib.c, crypto/ec/ec2_mult.c,
util/libeay.num.
- CVE-2014-0076
* SECURITY UPDATE: memory disclosure in TLS heartbeat extension
- debian/patches/CVE-2014-0160.patch: use correct lengths in
ssl/d1_both.c, ssl/t1_lib.c.
- CVE-2014-0160
-- Marc Deslauriers <email address hidden> Mon, 07 Apr 2014 15:43:47 -0400
Re: Serious OpenSSL bug renders websites wide open
Thanks. Today's update seemed more than just a coincidence, and I noticed it went from "3ubuntu1.1" to "3ubuntu1.2" - but the heartbleed site caused alarm.
TRUST BUT VERIFY any advice from anybody, including me. Mint/Ubuntu user since 10.04 LTS. LM20 64 bit XFCE (Dell 1520). Dual boot LM20 XFCE / Win7 (Lenovo desktop and Acer netbook). Testing LM21.1 Cinnamon and XFCE Live for new Lenovo desktop.
Re: Serious OpenSSL bug renders websites wide open
You can use http://filippo.io/Heartbleed/ to test SSL (https) websites you have an account on, whether they are still vulnerable.
If you have at least Go version 1.2, you can also build this command line tool and run the tests from your own machine: https://github.com/FiloSottile/Heartbleed. Unfortunately, Linux Mint comes with an older Go version so you can't use it on that. I extracted all https websites from my Firefox bookmarks and ran them all through this tool. So far, found three websites on which I have an account that are still vulnerable.
You could already change your password on websites that are not / no longer vulnerable, but look for communication from them on whether they were affected and when they will change their certificate. You're still vulnerable to MITM if they were affected and haven't changed their certificate yet after they patched OpenSSL.
If you have at least Go version 1.2, you can also build this command line tool and run the tests from your own machine: https://github.com/FiloSottile/Heartbleed. Unfortunately, Linux Mint comes with an older Go version so you can't use it on that. I extracted all https websites from my Firefox bookmarks and ran them all through this tool. So far, found three websites on which I have an account that are still vulnerable.
You could already change your password on websites that are not / no longer vulnerable, but look for communication from them on whether they were affected and when they will change their certificate. You're still vulnerable to MITM if they were affected and haven't changed their certificate yet after they patched OpenSSL.
Re: Serious OpenSSL bug renders websites wide open
Yes the key is that if you update to the latest OpenSSL on an effective device, one needs to revoke the certificates they are using and be issued new certs.
I can also say that this also not only effects web-servers, but also VPN devices as well that are using effective versions of OpenSSL. So potentially, any SSL VPN can also be effected.
Untangle did post on its site that it is not effected by these issues (in relation to VPN capabilities) but I am aware that Juniper VPN devices are effected and Juniper is currently working on a fix on these as we speak.
https://support.untangle.com/hc/en-us/a ... /201956817
http://forums.juniper.net/t5/SSL-VPN/Pl ... d-p/237486
I can also say that this also not only effects web-servers, but also VPN devices as well that are using effective versions of OpenSSL. So potentially, any SSL VPN can also be effected.
Untangle did post on its site that it is not effected by these issues (in relation to VPN capabilities) but I am aware that Juniper VPN devices are effected and Juniper is currently working on a fix on these as we speak.
https://support.untangle.com/hc/en-us/a ... /201956817
http://forums.juniper.net/t5/SSL-VPN/Pl ... d-p/237486
Re: Serious OpenSSL bug renders websites wide open
mike acker wrote: i often wonder what goes on in the heads of programmers who make these errors.
Humble? Seriously?mike acker wrote: IMHO insecure software is unacceptable for any purpose.
You know, they are humans. And as every human, when they try something, they are likely to make mistakes.
But at the end of the day, they can fall a thousand of time, they will still be way ahead of guys like you, who speak but don't do anything. Sure you don't do any mistakes...
-
- Level 7
- Posts: 1517
- Joined: Wed Jul 31, 2013 6:29 pm
- Location: Kalamazoo, MI
Re: Serious OpenSSL bug renders websites wide open
¡Viva la Resistencia!
Re: Serious OpenSSL bug renders websites wide open
Hi, folks.
Only a few minutes ago, my Linux Mint 13 (state: Ubuntu 12.04.4) received among 24 other updates this one:
May I assume this is the security update and bugfix which we all have been waiting for?
Then now might be the right time to watch carefully which software packages mintUpdate is offering you and check for this openssl update.
Hey, and do not forget to click the [Apply] button in mintUpdate.
Cheers,
Karl
Only a few minutes ago, my Linux Mint 13 (state: Ubuntu 12.04.4) received among 24 other updates this one:
Code: Select all
openssl (1.0.1-4ubuntu5.12) precise-security; urgency=medium
* SECURITY UPDATE: side-channel attack on Montgomery ladder implementation
- debian/patches/CVE-2014-0076.patch: add and use constant time swap in
crypto/bn/bn.h, crypto/bn/bn_lib.c, crypto/ec/ec2_mult.c,
util/libeay.num.
- CVE-2014-0076
* SECURITY UPDATE: memory disclosure in TLS heartbeat extension
- debian/patches/CVE-2014-0160.patch: use correct lengths in
ssl/d1_both.c, ssl/t1_lib.c.
- CVE-2014-0160
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 07 Apr 2014 15:45:14 -0400
Then now might be the right time to watch carefully which software packages mintUpdate is offering you and check for this openssl update.
Hey, and do not forget to click the [Apply] button in mintUpdate.
Cheers,
Karl
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 762 days now.
Lifeline
Re: Serious OpenSSL bug renders websites wide open
Ohhh strange. I thought Ubuntu had pushed fixes earlier yesterday. It was probably for Ubuntu 13.10.
Re: Serious OpenSSL bug renders websites wide open
@karlchen: your system seems a bit late on the update schedule: my LM13 was updated almost 2 days ago
At the moment, all major distros have already backported the patches to older versions than 1.0.1g.
At the moment, all major distros have already backported the patches to older versions than 1.0.1g.
Re: Serious OpenSSL bug renders websites wide open
*mumble* *mumble* mirrorseanfrid wrote:@karlchen: your system seems a bit late on the update schedule: my LM13 was updated almost 2 days ago
Re: Serious OpenSSL bug renders websites wide open
Hi, folks.
My Mint 13 is neither slow in updating, nor is it a mirroring issue, it is much more straight forward: The machine had not been up for 4 days.
Cheers,
Karl
My Mint 13 is neither slow in updating, nor is it a mirroring issue, it is much more straight forward: The machine had not been up for 4 days.
Cheers,
Karl
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 762 days now.
Lifeline
Re: Serious OpenSSL bug renders websites wide open
That's probably explain why you got update so latekarlchen wrote: The machine had not been up for 4 days.
Re: Serious OpenSSL bug renders websites wide open
After a long search I found a web site that has the cure for Mint 15. You run the commands from the terminal and it will update the Openssl to 1.0.1g. It worked fine on my Mint 15 KDE version without a hitch.
[Ubuntu] Upgrade OpenSSL to 1.0.1g – Heartbleed Bug – Urgent!
Posted on 6. April 2014
So, thats no joke: OpenSSL broke badly!
Here is the background: http://heartbleed.com/
And as there is no zero-hour-fix for Ubuntu (including 12.04 LTS…), I decided to take chances and overwrite my existing OpenSSL 1.0.1 with the new code. It worked out flawlessly – but your system could *REALLY* break. Thats as dirty as it possibly could get!
wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
tar -xvzf openssl-1.0.1g.tar.gz
cd openssl-1.0.1g/
./config --prefix=/usr
sudo make
sudo make test
sudo make install