What should we users do immediately about the heartbleed heartbeet openssl saucy flaw

[23dornot23d]

Cheers am uptodate now and after changing servers - did a safe-upgrade .......
its giving me the same build though but the build date has changed now .........

# openssl version -a
OpenSSL 1.0.1f 6 Jan 2014
built on: Mon Apr 7 21:22:23 UTC 2014
platform: debian-amd64
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"

Latest Ubuntu 14.04 - 64 bit and the kernel is now at 3.13.0-23-generic ........

screenshot here of my desktop as I rebooted and just ran it again to check for any changes
http://i.minus.com/iqFlyZe3NiEOZ.png

Is that as upto date as I can go now ?

ok going back to what was said earlier - seems I am ok now

It should say build date: April 7 or April 8 if you have the patched version.

[CharlesA]

That's fine, there was another update to openssl that forced services depending on it to restart.

[23dornot23d]

Ok thank you - am happy again things are starting going well again today .......

[joelgsf]

I've did an update/upgrade, changed repository to "main server", did an update/upgrade again, but I'm still getting

OpenSSL 1.0.1 14 Mar 2012

both in my desktop and server. In time, I'm using Ubuntu 12.04 LTS on both systems.
How can I get the new version of OpenSSL?
TIA

[CharlesA]

Run this:

Code:

openssl version -a

It should say build date: April 7 or April 8 if you have the patched version.

Run that ^.

[cogset]

As it stands now, that update is more geared toward servers and people using imaps/pop3s/https/openvpn than desktop users, but it's still a good thing to have updated.

If you don't mind,I'd like to understand a bit more about this thing:this openssl vulnerability,as far as I can tell from reading of it in "tech" websites
http://www.zdnet.com/heartbleed-secu...us-7000028216/
http://arstechnica.com/security/2014...-before-patch/
does actually affect the server side of things,in other words there's really not much that an average desktop user can do/is supposed to do.Is that correct?
Furthermore,assuming that it has been actually going on since november as some observers are claiming,we can only guess that data has indeed been taken from compromised servers,and there's nothing to be done about it.
Is there anything that desktop users should be aware of,anything unusual to check?

On a side note,as you point out at imaps/pop3s/https/openvpn,do you mean that folks using a mail client on their desktop could be more at risk then the ones accessing the same services by regular webmail?I don't think so,but just to be sure.

[Gustav_Toppa]

I'd like to understand a bit more about this thing:this openssl vulnerability.

In a heartbeat, Robin Seggelmann < seggelmann at fh-muenster.de > submitted this line of code which was committed an hour before midnight on New Year's Eve, 2011 by Stephen Henson < steve at openssl.org >.
buffer = OPENSSL_malloc(1 + 2 + payload + padding);

That line of code is only present in OpenSSL versions between 1.0.1 and 1.0.1f, including betas; anything older or newer and the bug isn’t present.

The fix was simply to limit the payload plus padding to 16 bytes

Code:

-    /* Read type and payload length first */

                    -    hbtype = *p++;

                    -    n2s(p, payload);

                    -    pl = p;

And, to not allow the heartbeat to exceed its maximum length:

Code:

unsigned int write_length = 1 /* heartbeat type */ +
 +					    2 /* heartbeat length */ +
 +					    payload + padding;
  
 +		if (write_length > SSL3_RT_MAX_PLAIN_LENGTH)
 +			return 0;

Of course, if the attacker went to the effort to save previous pcaps of traffic (are you listening GCHQ, NSA, FIS, MPS, etc?), that attacker could just pull the private key from the site and decrypt all saved communications.

The user needs to do a few things themselves.
For example, most users' web browsers are set, by default, to NOT check for revoked certificates!
chrome.png

[23dornot23d]

Does anyone know what these 2 lines mean - they are the only things I get warnings about in my authentication logs ........

09/04/2014 17:54:47 keith-K53SV dbus[721] [system] Rejected send message, 7 matched rules; type="method_return", sender=":1.14" (uid=0 pid=1254 comm="/usr/sbin/dnsmasq --no-resolv --keep-in-foreground") interface="(unset)" member="(unset)" error name="(unset)" requested_reply="0" destination=":1.5" (uid=0 pid=941 comm="NetworkManager ")

09/04/2014 20:11:43 keith-K53SV systemd-logind[877] Failed to issue method call: Unknown unit: autovt@tty6.service

the first line of text is repeated a few times in my logs but the second one only appeared once - not sure if its related or not ....... but its the first time I have
seen the second one and it has a yellow triangle against it .........

( I am on a laptop 14.04 development edition 64 bit latest kernel as of yesterday and fully uptodate as far as I can tell now )

Just for peace of mind if anyone knows if they are anything to worry about or just a bug or something else.

[CharlesA]

On a side note,as you point out at imaps/pop3s/https/openvpn,do you mean that folks using a mail client on their desktop could be more at risk then the ones accessing the same services by regular webmail?I don't think so,but just to be sure.

No, just that this bug affects anything that uses OpenSSL, which means mail servers in addition to web servers and vpn servers are affected until they have the patch applied.

I created a sticky about this yesterday with some more user-oriented information:
http://ubuntuforums.org/showthread.php?t=2216096

[dad2]

after following the update/upgrade advice in this thread i have the following info on my pc

OpenSSL 1.0.1e 11 Feb 2013
built on: Mon Apr 7 20:31:43 UTC 2014
platform: debian-i386



seeing the build being 1.0.1 e i'm wondering if i have a safety issue here?