Translate

Arm Ukraine, zap Putin

Stolen Votes

berklix.com logo

berklix.org logo

No Cookies

Flag UK DE

BSD-PIE

BSD

GNU

Linux

No Tracking

Disclaimer

IBU

Consol

http://www.berklix.com/~jhs/ssl/heartbleed/

Created 8 April 2014 By Julian H. Stacey

Non technical:

  • The SSL bug opens many potential internet security loopholes for users (irrespective of Microsoft, BSD, Linux etc). Many SSL based services may be affected eg SMTP, POP, IMAP, SASL, XMPP(chat) VPN (corporate nets) etc.

    Allow system admins a few days to assess & upgrade servers. Just browse for a few days, Avoid net banking & web + card purchases; avoid services where you login, security keys, inc. clouds & chat. Mail with POP IMAP, VPN all affected. Maybe webmail too.

    Do not rush to login & check accounts & change passwords; wait for administrators to secure sites. (Although in theory passwords etc could have been harvested since March 2012, a low chance of that, & a much higher chance in last days of criminals trying to exploit the just published weakness with current net traffic, so keep off for a few days).

  • http://www.bbc.com/news/technology-26935905
  • http://www.snopes.com/computer/virus/heartbleed.asp
    It's Not a virus! despite this non technical article labeling it as such in URL & graphic button on the page.
  • http://askbobrankin.com/a_gaping_hole_in_internet_security.html?awt_l=7tTPw&awt_m=IiC1hGQx5uP6SL
    Omits "Do not rush to login" etc.
  • Please Don't Mail Me Questions: Read the web & learn, then if you need, ask who you employ for support, eg your company's or net provider's system administrators.

Technical

    
http://heartbleed.com/
    Alert re SSL TLS X.509
    out in the wild since OpenSSL release 1.0.1 on 14th of March 2012.
    OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug
    vulnerable:
        FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
    not vulnerable:
        FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013
        FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)
    -DOPENSSL_NO_HEARTBEATS
whois heartbleed.com
    Creation Date: 2014-04-05 15:13
    Registrant Name: Marko Laakso
    Registrant Organization: Codenomicon Oy
    Registrant Country: Finland
http://www.openssl.org/news/secadv_20140407.txt
    OpenSSL Security Advisory [07 Apr 2014]
    TLS heartbeat read overrun (CVE-2014-0160)
    A missing bounds check in the handling of the TLS heartbeat extension can be
    used to reveal up to 64k of memory to a connected client or server.
    Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
    1.0.1f and 1.0.2-beta1.
    Thanks for Neel Mehta of Google Security for discovering this bug and to
    Adam Langley <agl@@@chromium.org> and Bodo Moeller <bmoeller@@@acm.org> for
    preparing the fix.
    Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
    upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
    1.0.2 will be fixed in 1.0.2-beta2.
German: http://heise.de/-2165995
http://www.heise.de/security/meldung/SSL-Gau-So-testen-Sie-Programme-und-Online-Dienste-2165995.html
http://heise.de/-2165995GERMAN = DEUTSCH
    Am Vormittag waren zum Beispiel Adobe.com, Web.de, VeriSign.com,
    Comodo.com sowie die Site des Online-Passwortmanagers
    LastPass noch verwundbar.
    Am Dienstagnachmittag war selbst die Site des OpenSSL-Projekts noch verwundbar. 
    OpenSSH ist dem ersten Anschein nach nicht betroffen
http://filippo.io/Heartbleed/
    example.com[:443]
/etc/services
    https           443/sctp
http://filippo.io/Heartbleed/#yourhost.com:443

http://www.berklix.org servers run FreeBSD:

http://lists.freebsd.org/pipermail/freebsd-security/2014-April/subject.html
http://lists.freebsd.org/pipermail/freebsd-security/2014-April/007404.html
http://lists.freebsd.org/pipermail/freebsd-questions/2014-April/257326.html
http://lists.freebsd.org/pipermail/freebsd-security-notifications/2014-April/000200.html
    refers to CVE-2014-0076 & CVE-2014-0160 & openssl.patch 

FreeBSD-9.1:
    cd /var/db/pkg; echo openssl*
    cd /var/db/ports/openssl
    grep OPENSSL_NO_HEARTBEATS /var/db/ports/openssl/options
    mv /var/db/ports/openssl /var/db/ports/openssl.was
    cd /usr/ports/security/openssl 
    make clean
    make
        No mention of heartbeat during configure.
        Need to import current ports/ sources.  ....
    pkg_info -R openssl-1.0.1_4
        apache22-2.2.23 cyrus-sasl-2.1.25_2 lynx-2.8.7.2,1

FreeBSD-9.1 + /pub/FreeBSD/branches/-current/ports/security/openssl/Makefile
        350548 2014-04-07 21:46:40Z
        DISTVERSIONSUFFIX=      g
        PORTREVISION=   10
    sftp & cp -R ....
    cd /usr/ports/security/openssl.2014-04-07 ; make install
        broke, needed new Mk/ too ... sftp ....
    cd /var/db/pkg; echo openssl*
        openssl-1.0.1_10 openssl-1.0.1_4
    pkg_delete -f openssl-1.0.1_4

    ....
    cd /pub/FreeBSD/branches/-current/ports/ports-mgmt/dialog4ports 
    tar zcf ~/tmp/j . 
    sftp ..
    mkdir /usr/ports/ports-mgmt/dialog4ports
    cd /usr/ports/ports-mgmt/dialog4ports
    tar zxf ~/tmp/j
    make clean ; make install
    cd /usr/ports/security/openssl.2014-04-07
    make clean
    rm -rf /var/db/ports/openssl*
    make
    make install
    cd /etc/mail
    make stop
    make start
    mailq



FreeBSD-9.2:
    man ssh: The HISTORY section of ssl(8) contains a brief discussion
        of the DSA and RSA algorithms.
    man sshd: no mention of ssl
    man ssl: The OpenSSL ssl library implements the Secure Sockets Layer (SSL v2/v3)
        and Transport Layer Security (TLS v1) protocols.
    cd /var/db/pkg; echo openssl*
    pkg_info -R openssl-1.0.1_8
        cups-base-1.5.4_1 cups-1.5.4 hplip-3.13.6
        openldap-client-2.4.35 libreoffice-4.0.4_1 git-1.8.3.4
        dillo-3.0.3 wget-1.14_2 wireshark-1.10.1
    echo firefox*
    pkg_info -r firefox-23.0,1 | grep -i ssl    # Nothing :-)

    PS  extracts:
    {
    From: Pete Stephenson <pete@@@heypete.com>
    Date: Thu, 10 Apr 2014 00:45:55 +0200
    To: ...  gnupg-users@@@gnupg.org
    
    Firefox is immune because it uses the NSS Crypto library.
    }
    ----------
    {
    From: Sam Gleske <sam.mxracer@gmail.com>
    Date: Wed, 9 Apr 2014 19:10:10 -0400 (Thu 01:10 CEST)
    To: ...  Gnupg-users <gnupg-users@gnupg.org>
    
    
    While it's true Firefox does not link openssl in binaries the vulnerability
    allows an attacker to easily hijack sessions, steal usernames and
    passwords, and steal the server private key during the SSL negotiation
    phase.  See my comments above for how you can verify that.
    }
    ----------

FreeBSD-10.0:
    cd /var/db/pkg; echo openssl* # openssl-1.0.1_8
    cd /var/db/ports/openssl # /var/db/ports/openssl: No such file or directory.

Mentioned on gnnupg mail list:
http://pastebin.com/WmxzjkXJ
contains 
http://s3.jspenguin.org/ssltest.py

Stolen VotesBerklix.Net Computer AssociatesDomainsApache: Web ServerFreeBSD: Operating System