check your servers for the heartbleed bug in openssl - SSL was broken.
265 views
Skip to first unread message
Bruce Kirkpatrick
Apr 8, 2014, 4:54:12 PM4/8/14
to ra...@googlegroups.com
Just wanted to share that there is a serious problem with openssl that allows public users to get past SSL security. This affected most recent Linux OS distributions.
http://heartbleed.com/It lets people steal your private keys and do other bad things. Pretty serious problem.
Not too hard to fix. I had to upgrade ours, and restart the services to fix the vulnerability. It doesn't auto-fix when you update openssl only, the nginx/apache restart was required on both ubuntu and centos for me. Nginx also required libssl to be upgraded for me, not just openssl.
You can check for server vulnerability more quickly here:
I'm on ubuntu 13.04 still, so I had to manually upgrade to saucy packages to fix it since it's no longer supported.
It's all over the tech news right now:
hope this helps!
rushglen
Apr 8, 2014, 10:12:02 PM4/8/14
to ra...@googlegroups.com
phew! all ok, thanks.
melinite
Apr 8, 2014, 10:45:59 PM4/8/14
to ra...@googlegroups.com
according to heartbleed.com affected OS and unaffected OS. Basically if you are using openssl v1+ then you need to rekey, reissue, recompile, update, patch, and pray.
Affected.
- Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
- Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
- CentOS 6.5, OpenSSL 1.0.1e-15
- Fedora 18, OpenSSL 1.0.1e-4
- OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
- FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
- NetBSD 5.0.2 (OpenSSL 1.0.1e)
- OpenSUSE 12.2 (OpenSSL 1.0.1c)
Operating system distribution with versions that are not vulnerable:
- Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
- SUSE Linux Enterprise Server
- FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013
- FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013
- FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)
melinite
Apr 8, 2014, 10:47:25 PM4/8/14
to ra...@googlegroups.com
Also please use these more thorough tool than the one mentioned by Bruce.
Keep that ssl checker bookmarked, it is very useful and they are up to date to most CVE and 0day exploits when they occur. The tool bruce mentioned was a simple hack.
Rani
Apr 9, 2014, 5:22:45 AM4/9/14
to ra...@googlegroups.com
Thanks Bruce for info.
I would also like to share another ssl checker tool from Qualys which i have been using for a while:
https://www.ssllabs.com/ssltest/index.html
I would also like to share another ssl checker tool from Qualys which i have been using for a while:
https://www.ssllabs.com/ssltest/index.html
Igal @ getRailo.org
Apr 9, 2014, 1:28:53 PM4/9/14
to ra...@googlegroups.com
FYI: on Windows \ nginx an update of nginx to version 1.5.13 seems
to resolve the issue.
--
Did you find this reply useful? Help the Railo community and add it to the Railo Server wiki at https://github.com/getrailo/railo/wiki
---
You received this message because you are subscribed to the Google Groups "Railo" group.
To view this discussion on the web visit https://groups.google.com/d/msgid/railo/d7dbfaf2-ea71-46c3-b21e-189ecdbbd06b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
-- Igal Sapir Railo Core Developer http://getRailo.org/
Brad Wood
Apr 10, 2014, 6:39:20 PM4/10/14
to ra...@googlegroups.com
I've seen a lot of information relating to *hosts* which are serving SSL content, but from what I've read today clients (such as CURL) can also be vulnerable.
Does CFHTTP use openSSL and could our CFML code which connects to a remote HTTPS endpoint be insecure?
Thanks!
~Brad
Sean Daniels
Apr 11, 2014, 10:40:42 AM4/11/14
to ra...@googlegroups.com
This is a really excellent question and I would love to get a response from the Railo team as well.
I’m pretty sure Railo uses the Apache commons library httpclient for cfhttp. Google-fu is not producing any useful results about whether or not org.apache.commons.httpclient.HttpClient itself is vulnerable.
- Sean
Sean Daniels
Apr 11, 2014, 10:48:37 AM4/11/14
to ra...@googlegroups.com
I used the tester application at https://reverseheartbleed.com and got an OK result from my Railo 4.2 server calling their test URL via cfhttp.
A good sign, though hardly as definitive as I’d like.
On April 10, 2014 at 6:39:22 PM, Brad Wood (br...@bradwood.com) wrote:
Bruce Kirkpatrick
Apr 11, 2014, 10:52:10 AM4/11/14
to ra...@googlegroups.com
Cool. I think the httpclient is built on top of Oracle java ssl code, which shares nothing in common with openssl. Source: http://hc.apache.org/httpclient-3.x/sslguide.html
Bruce Kirkpatrick
Apr 18, 2014, 10:47:31 AM4/18/14
to ra...@googlegroups.com
I just noticed Railo blog has a related link about their heartbleed bug Railo analysis.
On Tuesday, April 8, 2014 4:54:12 PM UTC-4, Bruce Kirkpatrick wrote:
Reply all
Reply to author
Forward
0 new messages