[arch-general] Heartbleed-bug in OpenSSL 1.0.1 up to 1.0.1f
Hi, there is an Bug(1) in OpenSSL 1.0.1 and as far as I'm informed this has only been patched in 1.0.1g. Many other Distributions have build there own patch, what is with us? Currently we have "1.0.1.f-2" which is effected as far as I can know. Greetings Neal 1) (sry, German) http://www.golem.de/news/sicherheitsluecke-keys-auslesen-mit-openssl-1404-10...
Hi On Tue, Apr 8, 2014 at 8:29 AM, Neal Oakey <neal.oakey@googlemail.com> wrote:
Hi,
there is an Bug(1) in OpenSSL 1.0.1 and as far as I'm informed this has only been patched in 1.0.1g. Many other Distributions have build there own patch, what is with us?
It is fixed already. The new version of openssl is in stable repository already. https://www.archlinux.org/packages/core/x86_64/openssl/
Currently we have "1.0.1.f-2" which is effected as far as I can know.
Hi On Tue, Apr 8, 2014 at 8:32 AM, Anatol Pomozov <anatol.pomozov@gmail.com> wrote:
Hi
On Tue, Apr 8, 2014 at 8:29 AM, Neal Oakey <neal.oakey@googlemail.com> wrote:
Hi,
there is an Bug(1) in OpenSSL 1.0.1 and as far as I'm informed this has only been patched in 1.0.1g. Many other Distributions have build there own patch, what is with us?
It is fixed already. The new version of openssl is in stable repository already. https://www.archlinux.org/packages/core/x86_64/openssl/
Currently we have "1.0.1.f-2" which is effected as far as I can know.
One more tip: after you updated a system and installed new openssl package you need to restart services that still use old version of openssl. Here is one-liner (from [1]) that finds such applications for you: sudo lsof +c 0 | grep -w DEL | awk '1 { print $1 ": " $NF }' | grep ssl [1] https://wiki.archlinux.org/index.php/Pacman_Tips#Find_applications_that_use_...
On Tuesday, April 08, 2014 05:29:11 PM Neal Oakey wrote:
Hi,
there is an Bug(1) in OpenSSL 1.0.1 and as far as I'm informed this has only been patched in 1.0.1g. Many other Distributions have build there own patch, what is with us? Currently we have "1.0.1.f-2" which is effected as far as I can know.
Greetings Neal
1) (sry, German) http://www.golem.de/news/sicherheitsluecke-keys-auslesen-mit-openssl-1404-10 5685.html
I see 1.0.1g, myself. Make sure your mirror is up to date. Conrad
Hi, ah ... ok kickt the top mirror - now I'm back up to date tanks Neal Am 08.04.2014 17:32, schrieb yaro@marupa.net:
On Tuesday, April 08, 2014 05:29:11 PM Neal Oakey wrote:
Hi,
there is an Bug(1) in OpenSSL 1.0.1 and as far as I'm informed this has only been patched in 1.0.1g. Many other Distributions have build there own patch, what is with us? Currently we have "1.0.1.f-2" which is effected as far as I can know.
Greetings Neal
1) (sry, German) http://www.golem.de/news/sicherheitsluecke-keys-auslesen-mit-openssl-1404-10 5685.html I see 1.0.1g, myself. Make sure your mirror is up to date.
Conrad
% pacman -Si openssl Repository : core Name : openssl Version : 1.0.1.g-1 Description : The Open Source toolkit for Secure Sockets Layer and Transport Layer Security Architecture : x86_64 URL : https://www.openssl.org Licenses : custom:BSD Groups : None Provides : None Depends On : zlib perl Optional Deps : ca-certificates Conflicts With : None Replaces : None Download Size : 2317.98 KiB Installed Size : 6217.00 KiB Packager : Pierre Schmitz <pierre@archlinux.de> Build Date : Mon 07 Apr 2014 04:28:06 PM EDT Validated By : MD5 Sum SHA256 Sum Signature https://www.archlinux.org/packages/core/x86_64/openssl/
Currently we have "1.0.1.f-2" which is effected as far as I can know.
pacman -Syu should upgrade it to 1.0.1.g-1? pacman -Q openssl reports that version anyway, which fixes heartbleed. [1] Greetings, Zeger-Jan van de Weg [1] https://www.openssl.org/news/secadv_20140407.txt
On 08/04/2014 17:29, Neal Oakey wrote:
Many other Distributions have build there own patch, what is with us?
As a reminder, there is now a Wiki page that tracks all security issues and their status in Arch Linux [1]. If it's not there, please either add the issue in the wiki by yourself and file a bug report (see [2]) or drop by on irc at #archlinux-security (on Freenode) and let us know about it. [1] https://wiki.archlinux.org/index.php/CVE-2014 [2] https://wiki.archlinux.org/index.php/Arch_CVE_Monitoring_Team -- Timothée Ravier
Am 08.04.2014 17:29, schrieb Neal Oakey:
Hi,
there is an Bug(1) in OpenSSL 1.0.1 and as far as I'm informed this has only been patched in 1.0.1g. Many other Distributions have build there own patch, what is with us? Currently we have "1.0.1.f-2" which is effected as far as I can know.
Greetings Neal
1) (sry, German) http://www.golem.de/news/sicherheitsluecke-keys-auslesen-mit-openssl-1404-10...
I actually did push an updated package within 3 hours after the public announcement. I think that is pretty reasonable especially since we are not among the fortunate distros and companies that were notified beforehand. Greetings, Pierre -- Pierre Schmitz, https://pierre-schmitz.com
Hi On Tue, Apr 8, 2014 at 9:29 AM, Pierre Schmitz <pierre@archlinux.de> wrote:
Am 08.04.2014 17:29, schrieb Neal Oakey:
Hi,
there is an Bug(1) in OpenSSL 1.0.1 and as far as I'm informed this has only been patched in 1.0.1g. Many other Distributions have build there own patch, what is with us? Currently we have "1.0.1.f-2" which is effected as far as I can know.
Greetings Neal
1) (sry, German) http://www.golem.de/news/sicherheitsluecke-keys-auslesen-mit-openssl-1404-10...
I actually did push an updated package within 3 hours after the public announcement. I think that is pretty reasonable especially since we are not among the fortunate distros and companies that were notified beforehand.
Is there any "secret security list" for distros where such issues are discussed/notified before a vulnerable gets public attention? If there is one then Arch should be added there as well.
Slightly OT but for those interested, I added the heartbleed utility (used by the heartbleed checker site) to the AUR: https://aur.archlinux.org/packages/heartbleed-git/ % heartbleed mediacru.sh:443 2014/04/08 17:53:57 mediacru.sh:443 - SAFE J. Leclanche On Tue, Apr 8, 2014 at 5:35 PM, Anatol Pomozov <anatol.pomozov@gmail.com> wrote:
Hi
On Tue, Apr 8, 2014 at 9:29 AM, Pierre Schmitz <pierre@archlinux.de> wrote:
Am 08.04.2014 17:29, schrieb Neal Oakey:
Hi,
there is an Bug(1) in OpenSSL 1.0.1 and as far as I'm informed this has only been patched in 1.0.1g. Many other Distributions have build there own patch, what is with us? Currently we have "1.0.1.f-2" which is effected as far as I can know.
Greetings Neal
1) (sry, German) http://www.golem.de/news/sicherheitsluecke-keys-auslesen-mit-openssl-1404-10...
I actually did push an updated package within 3 hours after the public announcement. I think that is pretty reasonable especially since we are not among the fortunate distros and companies that were notified beforehand.
Is there any "secret security list" for distros where such issues are discussed/notified before a vulnerable gets public attention? If there is one then Arch should be added there as well.
[ I had to reconstruct the message from the online archive -- sorry if message ID is screwed ] On Tue, 8 Apr 2014 17:54:14 +0100 adys.wh at gmail.com (Jerome Leclanche) wrote:
Slightly OT but for those interested, I added the heartbleed utility (used by the heartbleed checker site) to the AUR: https://aur.archlinux.org/packages/heartbleed-git/
% heartbleed mediacru.sh:443 2014/04/08 17:53:57 mediacru.sh:443 - SAFE J. Leclanche
One should probably make clear that openssh servers/clients are _not_ affected because ssh does not use TLS: http://serverfault.com/questions/587433/heartbleed-are-services-other-than-h... . -- Leonid Isaev GPG key fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
I actually did push an updated package within 3 hours after the public announcement. I think that is pretty reasonable especially since we are not among the fortunate distros and companies that were notified beforehand.
It's very good! Only a few distribution and vendors can do that! What is the situation with the Archlinux websites and others servers? I remind that this flaw is rather critical and applying the patch/new version is probably not enough (especially if you are . There is already a lot of people playing with this bug and trying to extract "secrets" and sensitive data from servers. TLS private keys should be revoked and new ones get generated, as htpasswd etc. o/ RbN
participants (10)
-
Anatol Pomozov
-
Daniel Micay
-
Jerome Leclanche
-
Leonid Isaev
-
Neal Oakey
-
Pierre Schmitz
-
RbN
-
Timothée Ravier
-
yaro@marupa.net
-
Zeger-Jan van de Weg