Arm Ukraine, Kill Putin

Stolen Votes logo logo

No Cookies

Flag UK DE





No Tracking




Created 8 April 2014 By Julian H. Stacey

Non technical:

  • The SSL bug opens many potential internet security loopholes for users (irrespective of Microsoft, BSD, Linux etc). Many SSL based services may be affected eg SMTP, POP, IMAP, SASL, XMPP(chat) VPN (corporate nets) etc.

    Allow system admins a few days to assess & upgrade servers. Just browse for a few days, Avoid net banking & web + card purchases; avoid services where you login, security keys, inc. clouds & chat. Mail with POP IMAP, VPN all affected. Maybe webmail too.

    Do not rush to login & check accounts & change passwords; wait for administrators to secure sites. (Although in theory passwords etc could have been harvested since March 2012, a low chance of that, & a much higher chance in last days of criminals trying to exploit the just published weakness with current net traffic, so keep off for a few days).

    It's Not a virus! despite this non technical article labeling it as such in URL & graphic button on the page.
    Omits "Do not rush to login" etc.
  • Please Don't Mail Me Questions: Read the web & learn, then if you need, ask who you employ for support, eg your company's or net provider's system administrators.

    Alert re SSL TLS X.509
    out in the wild since OpenSSL release 1.0.1 on 14th of March 2012.
    OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug
        FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
    not vulnerable:
        FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013
        FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)
    Creation Date: 2014-04-05 15:13
    Registrant Name: Marko Laakso
    Registrant Organization: Codenomicon Oy
    Registrant Country: Finland
    OpenSSL Security Advisory [07 Apr 2014]
    TLS heartbeat read overrun (CVE-2014-0160)
    A missing bounds check in the handling of the TLS heartbeat extension can be
    used to reveal up to 64k of memory to a connected client or server.
    Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
    1.0.1f and 1.0.2-beta1.
    Thanks for Neel Mehta of Google Security for discovering this bug and to
    Adam Langley <> and Bodo Moeller <> for
    preparing the fix.
    Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
    upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
    1.0.2 will be fixed in 1.0.2-beta2.
German: = DEUTSCH
    Am Vormittag waren zum Beispiel,,, sowie die Site des Online-Passwortmanagers
    LastPass noch verwundbar.
    Am Dienstagnachmittag war selbst die Site des OpenSSL-Projekts noch verwundbar. 
    OpenSSH ist dem ersten Anschein nach nicht betroffen[:443]
    https           443/sctp servers run FreeBSD:
    refers to CVE-2014-0076 & CVE-2014-0160 & openssl.patch 

    cd /var/db/pkg; echo openssl*
    cd /var/db/ports/openssl
    grep OPENSSL_NO_HEARTBEATS /var/db/ports/openssl/options
    mv /var/db/ports/openssl /var/db/ports/openssl.was
    cd /usr/ports/security/openssl 
    make clean
        No mention of heartbeat during configure.
        Need to import current ports/ sources.  ....
    pkg_info -R openssl-1.0.1_4
        apache22-2.2.23 cyrus-sasl-2.1.25_2 lynx-,1

FreeBSD-9.1 + /pub/FreeBSD/branches/-current/ports/security/openssl/Makefile
        350548 2014-04-07 21:46:40Z
        PORTREVISION=   10
    sftp & cp -R ....
    cd /usr/ports/security/openssl.2014-04-07 ; make install
        broke, needed new Mk/ too ... sftp ....
    cd /var/db/pkg; echo openssl*
        openssl-1.0.1_10 openssl-1.0.1_4
    pkg_delete -f openssl-1.0.1_4

    cd /pub/FreeBSD/branches/-current/ports/ports-mgmt/dialog4ports 
    tar zcf ~/tmp/j . 
    sftp ..
    mkdir /usr/ports/ports-mgmt/dialog4ports
    cd /usr/ports/ports-mgmt/dialog4ports
    tar zxf ~/tmp/j
    make clean ; make install
    cd /usr/ports/security/openssl.2014-04-07
    make clean
    rm -rf /var/db/ports/openssl*
    make install
    cd /etc/mail
    make stop
    make start

    man ssh: The HISTORY section of ssl(8) contains a brief discussion
        of the DSA and RSA algorithms.
    man sshd: no mention of ssl
    man ssl: The OpenSSL ssl library implements the Secure Sockets Layer (SSL v2/v3)
        and Transport Layer Security (TLS v1) protocols.
    cd /var/db/pkg; echo openssl*
    pkg_info -R openssl-1.0.1_8
        cups-base-1.5.4_1 cups-1.5.4 hplip-3.13.6
        openldap-client-2.4.35 libreoffice-4.0.4_1 git-
        dillo-3.0.3 wget-1.14_2 wireshark-1.10.1
    echo firefox*
    pkg_info -r firefox-23.0,1 | grep -i ssl    # Nothing :-)

    PS  extracts:
    From: Pete Stephenson <>
    Date: Thu, 10 Apr 2014 00:45:55 +0200
    To: ...
    Firefox is immune because it uses the NSS Crypto library.
    From: Sam Gleske <>
    Date: Wed, 9 Apr 2014 19:10:10 -0400 (Thu 01:10 CEST)
    To: ...  Gnupg-users <>
    While it's true Firefox does not link openssl in binaries the vulnerability
    allows an attacker to easily hijack sessions, steal usernames and
    passwords, and steal the server private key during the SSL negotiation
    phase.  See my comments above for how you can verify that.

    cd /var/db/pkg; echo openssl* # openssl-1.0.1_8
    cd /var/db/ports/openssl # /var/db/ports/openssl: No such file or directory.

Mentioned on gnnupg mail list:

Stolen VotesBerklix.Net Computer AssociatesDomainsApache: Web ServerFreeBSD: Operating System