Page 1 of 3 123 LastLast
Results 1 to 10 of 28

Thread: What should we users do immediately about the heartbleed heartbeet openssl saucy flaw

  1. #1
    Join Date
    Jan 2014
    Beans
    20

    What should we users do immediately about the heartbleed heartbeet openssl saucy flaw

    I just belatedly found out about the heartbeat openssl bug (http://heartbleed.com).

    Affected versions: OpenSSL versions from 1.0.1 to 1.0.1f.
    The vulnerability has been fixed in OpenSSL 1.0.1g.

    $ uname -a
    Linux desktop 3.11.0-14-generic #21-Ubuntu SMP Tue Nov 12 17:04:55 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

    $ openssl
    OpenSSL> version
    OpenSSL 1.0.1e 11 Feb 2013

    $ sudo apt-get remove openssl
    $ sudo apt-get install openssl

    $ openssl
    OpenSSL> version
    OpenSSL 1.0.1e 11 Feb 2013

    Drat.

    QUESTION:
    As a user, who is decidedly not a security expert, what do the security experts suggest we users immediately do about this vulnerability?

  2. #2
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: What should we users do immediately about the heartbleed heartbeet openssl saucy

    Run this:

    Code:
    openssl version -a
    It should say build date: April 7 or April 8 if you have the patched version.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  3. #3
    Join Date
    Jun 2012
    Beans
    9

    Re: What should we users do immediately about the heartbleed heartbeet openssl saucy

    Set "Check for certificate revocation" on in all browsers. Even after servers have installed the 1.0.1g fix, they then need to revoke their current certificate and issue a new one.

  4. #4
    Join Date
    Nov 2009
    Beans
    3,225

    Re: What should we users do immediately about the heartbleed heartbeet openssl saucy


  5. #5
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: What should we users do immediately about the heartbleed heartbeet openssl saucy

    Quote Originally Posted by mainmeister View Post
    Set "Check for certificate revocation" on in all browsers. Even after servers have installed the 1.0.1g fix, they then need to revoke their current certificate and issue a new one.
    The latest version of Firefox should be set to automatically check ssl certs for validity.

    Quote Originally Posted by 23dornot23d View Post
    Reads exactly like a tabloid.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  6. #6
    Join Date
    Nov 2009
    Beans
    3,225

    Re: What should we users do immediately about the heartbleed heartbeet openssl saucy

    mmm ..... sometimes wonder about the reasoning ........ but as long as its fixed .......

    and we all know our systems are uptodate .....

    I upgrade to OpenSSL 1.0.1f 6 Jan 2014

    from what I have read so far this is a check to do


    Finding what version you have ..... cheers Charles A

    openssl version -a

    Downloads$ openssl version -a
    OpenSSL 1.0.1f 6 Jan 2014
    built on: Fri Jan 10 12:40:28 UTC 2014
    platform: debian-amd64
    options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
    compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
    OPENSSLDIR: "/usr/lib/ssl"


    From what I am reading in the latest report - the older ones were more secure ......... can someone clarify if we are better
    off with older systems ........ or upgraded ones ........ as its not clear in this thread ...... !!!

    Fixed in OpenSSL 1.0.1g (Affected 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)

    Time to log off and go back to a older install again ..... until the repos have something I can use thats safe

    http://www.openssl.org/news/vulnerabilities.html
    Last edited by 23dornot23d; April 9th, 2014 at 07:03 PM. Reason: removed the last lines as it seems its old news ....... odd

  7. #7
    Join Date
    Jul 2010
    Location
    ozarks, Arkansas, USA
    Beans
    6,788
    Distro
    Lubuntu 14.04 Trusty Tahr

    Re: What should we users do immediately about the heartbleed heartbeet openssl saucy

    @ 23dornot23d; Don't know ?

    I ran :
    Code:
    sudo apt-get update
    sudo apt-get upgrade
    and a updated openssl was available, I did "upgrade" and ->
    Code:
    sysop@1310mini:~$ openssl version -a
    built on: Mon Apr  7 20:33:19 UTC 2014
    Your result is not the same ?
    THE current(cy) in Documentation:
    https://help.ubuntu.com/community/PopularPages

    Happy ubutu'n !

  8. #8
    Join Date
    Nov 2009
    Beans
    3,225

    Re: What should we users do immediately about the heartbleed heartbeet openssl saucy

    Cheers for doing that check ..... maybe its something to do with the download server I use then
    I pointed it to UK ..... and maybe there lies the problem .......

    Will change servers and see if it changes things - thank you for doing that ......
    as I checked again before posting in Synaptic and reloaded the same result came up saying I was
    uptodate ......

    Will get back to you later - as I swapped into a different OS for the time being ...... have many to choose from
    so at least I can jump around a bit ...... confuses me at times - so might confuse anyone trying to get into my
    system .... not that it makes a lot of difference here ..... have nothing of real value - so long as they do not
    get in and trash anything ........ even then - so many systems now it probably would not disrupt me too much.

    Ok back to doing things again to relax ...

    Will let you know later on when I go back in if it will upgrade ok .....

  9. #9
    Join Date
    Jul 2010
    Location
    ozarks, Arkansas, USA
    Beans
    6,788
    Distro
    Lubuntu 14.04 Trusty Tahr

    Re: What should we users do immediately about the heartbleed heartbeet openssl saucy

    k
    THE current(cy) in Documentation:
    https://help.ubuntu.com/community/PopularPages

    Happy ubutu'n !

  10. #10
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: What should we users do immediately about the heartbleed heartbeet openssl saucy

    It could be the mirror didn't have the latest version, but unlikely. When you do boot into Ubuntu, run updates again and it should give you the newest version.

    As it stands now, that update is more geared toward servers and people using imaps/pop3s/https/openvpn than desktop users, but it's still a good thing to have updated.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

Page 1 of 3 123 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •