Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 28

Thread: What should we users do immediately about the heartbleed heartbeet openssl saucy flaw

  1. #11
    Join Date
    Nov 2009
    Beans
    3,225

    Re: What should we users do immediately about the heartbleed heartbeet openssl saucy

    Cheers am uptodate now and after changing servers - did a safe-upgrade .......
    its giving me the same build though but the build date has changed now .........

    # openssl version -a
    OpenSSL 1.0.1f 6 Jan 2014
    built on: Mon Apr 7 21:22:23 UTC 2014
    platform: debian-amd64
    options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
    compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
    OPENSSLDIR: "/usr/lib/ssl"

    Latest Ubuntu 14.04 - 64 bit and the kernel is now at 3.13.0-23-generic ........

    screenshot here of my desktop as I rebooted and just ran it again to check for any changes
    http://i.minus.com/iqFlyZe3NiEOZ.png

    Is that as upto date as I can go now ?

    ok going back to what was said earlier - seems I am ok now

    It should say build date: April 7 or April 8 if you have the patched version.
    Last edited by 23dornot23d; April 9th, 2014 at 09:24 PM.

  2. #12
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: What should we users do immediately about the heartbleed heartbeet openssl saucy

    That's fine, there was another update to openssl that forced services depending on it to restart.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  3. #13
    Join Date
    Nov 2009
    Beans
    3,225

    Re: What should we users do immediately about the heartbleed heartbeet openssl saucy

    Ok thank you - am happy again things are starting going well again today .......

  4. #14
    Join Date
    Mar 2009
    Location
    Brasilia - Brazil
    Beans
    62
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: What should we users do immediately about the heartbleed heartbeet openssl saucy

    I've did an update/upgrade, changed repository to "main server", did an update/upgrade again, but I'm still getting

    OpenSSL 1.0.1 14 Mar 2012
    both in my desktop and server. In time, I'm using Ubuntu 12.04 LTS on both systems.
    How can I get the new version of OpenSSL?
    TIA

  5. #15
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: What should we users do immediately about the heartbleed heartbeet openssl saucy

    Quote Originally Posted by CharlesA View Post
    Run this:

    Code:
    openssl version -a
    It should say build date: April 7 or April 8 if you have the patched version.
    Run that ^.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  6. #16
    Join Date
    Jun 2012
    Beans
    190

    Re: What should we users do immediately about the heartbleed heartbeet openssl saucy

    Quote Originally Posted by CharlesA View Post
    As it stands now, that update is more geared toward servers and people using imaps/pop3s/https/openvpn than desktop users, but it's still a good thing to have updated.
    If you don't mind,I'd like to understand a bit more about this thing:this openssl vulnerability,as far as I can tell from reading of it in "tech" websites
    http://www.zdnet.com/heartbleed-secu...us-7000028216/
    http://arstechnica.com/security/2014...-before-patch/
    does actually affect the server side of things,in other words there's really not much that an average desktop user can do/is supposed to do.Is that correct?
    Furthermore,assuming that it has been actually going on since november as some observers are claiming,we can only guess that data has indeed been taken from compromised servers,and there's nothing to be done about it.
    Is there anything that desktop users should be aware of,anything unusual to check?

    On a side note,as you point out at imaps/pop3s/https/openvpn,do you mean that folks using a mail client on their desktop could be more at risk then the ones accessing the same services by regular webmail?I don't think so,but just to be sure.

  7. #17
    Join Date
    Jan 2014
    Beans
    26

    Re: What should we users do immediately about the heartbleed heartbeet openssl saucy

    Quote Originally Posted by cogset View Post
    I'd like to understand a bit more about this thing:this openssl vulnerability.
    In a heartbeat, Robin Seggelmann < seggelmann at fh-muenster.de > submitted this line of code which was committed an hour before midnight on New Year's Eve, 2011 by Stephen Henson < steve at openssl.org >.
    buffer = OPENSSL_malloc(1 + 2 + payload + padding);

    That line of code is only present in OpenSSL versions between 1.0.1 and 1.0.1f, including betas; anything older or newer and the bug isn’t present.

    The fix was simply to limit the payload plus padding to 16 bytes
    Code:
    - /* Read type and payload length first */
    - hbtype = *p++;
    - n2s(p, payload);
    - pl = p;
    And, to not allow the heartbeat to exceed its maximum length:
    Code:
    unsigned int write_length = 1 /* heartbeat type */ +
     +					    2 /* heartbeat length */ +
     +					    payload + padding;
      
     +		if (write_length > SSL3_RT_MAX_PLAIN_LENGTH)
     +			return 0;

    Of course, if the attacker went to the effort to save previous pcaps of traffic (are you listening GCHQ, NSA, FIS, MPS, etc?), that attacker could just pull the private key from the site and decrypt all saved communications.

    The user needs to do a few things themselves.
    For example, most users' web browsers are set, by default, to NOT check for revoked certificates!
    chrome.png
    Last edited by Gustav_Toppa; April 10th, 2014 at 12:14 PM.

  8. #18
    Join Date
    Nov 2009
    Beans
    3,225

    Re: What should we users do immediately about the heartbleed heartbeet openssl saucy

    Does anyone know what these 2 lines mean - they are the only things I get warnings about in my authentication logs ........

    09/04/2014 17:54:47 keith-K53SV dbus[721] [system] Rejected send message, 7 matched rules; type="method_return", sender=":1.14" (uid=0 pid=1254 comm="/usr/sbin/dnsmasq --no-resolv --keep-in-foreground") interface="(unset)" member="(unset)" error name="(unset)" requested_reply="0" destination=":1.5" (uid=0 pid=941 comm="NetworkManager ")

    09/04/2014 20:11:43 keith-K53SV systemd-logind[877] Failed to issue method call: Unknown unit: autovt@tty6.service
    the first line of text is repeated a few times in my logs but the second one only appeared once - not sure if its related or not ....... but its the first time I have
    seen the second one and it has a yellow triangle against it .........

    ( I am on a laptop 14.04 development edition 64 bit latest kernel as of yesterday and fully uptodate as far as I can tell now )

    Just for peace of mind if anyone knows if they are anything to worry about or just a bug or something else.

  9. #19
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: What should we users do immediately about the heartbleed heartbeet openssl saucy

    Quote Originally Posted by cogset View Post
    On a side note,as you point out at imaps/pop3s/https/openvpn,do you mean that folks using a mail client on their desktop could be more at risk then the ones accessing the same services by regular webmail?I don't think so,but just to be sure.
    No, just that this bug affects anything that uses OpenSSL, which means mail servers in addition to web servers and vpn servers are affected until they have the patch applied.

    I created a sticky about this yesterday with some more user-oriented information:
    http://ubuntuforums.org/showthread.php?t=2216096
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  10. #20
    Join Date
    Feb 2014
    Beans
    6

    Re: What should we users do immediately about the heartbleed heartbeet openssl saucy

    after following the update/upgrade advice in this thread i have the following info on my pc

    OpenSSL 1.0.1e 11 Feb 2013
    built on: Mon Apr 7 20:31:43 UTC 2014
    platform: debian-i386



    seeing the build being 1.0.1 e i'm wondering if i have a safety issue here?

Page 2 of 3 FirstFirst 123 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •