Forum OpenACS Development: Security Bug In OpenSSL

Collapse
Posted by Brian Fenton on
Thanks Michael.
Collapse
Posted by Neophytos Demetriou on
Yeah, thanks Michael. With the following python script anyone in the world can dump a bit of RAM from a vulnerable server:
https://gist.github.com/takeshixx/10107280

You would need to patch your services and re-issue keys. Upgrading to openssl-1.0.1g seems to be a good first step.

See also:
- http://youtu.be/w8IxN3lEAuU
- https://www.mattslifebytes.com/?p=533

Collapse
Posted by Cesareo Garci­a Rodicio on
I've been checking this openssl bug and test my server. And it was affected.

And I was playing a bit to solve that and seems to be easy (I'm not a security expert and I don't have very sensible data so I did not a serious audit). But this work (on ns 4.99.6 (HEAD) and Debian )
1. apt-get upgrade . After that I had "openssl version" OpenSSL 1.0.1e 11 Feb 2013 (not 1.g) . Debian guys works fast
2. restart naviserver (this is not an issue of naviserver or aolserver)

And It works (I know that to be completely sure I had to rebuild certificates but I don't think my server is of intereset of NSA or whatever😉 ).

Collapse
Posted by Neophytos Demetriou on
According to the security advisory from OpenSSL, the bug is fixed in 1.0.1g.
Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

--- https://www.openssl.org/news/secadv_20140407.txt
Collapse
Posted by Cesareo Garci­a Rodicio on
Yes, 1.0.1g is the recommended upgrade.

But in my installation (upgraded from debian, I did'nt build it) with 1.0.1e worked (or at least that's what test said).

Collapse
Posted by Gustaf Neumann on
Unfortunately, the world is more complex: for FC20 the fixed version is called openssl-1.0.1e-37.fc20.1
http://www.spinics.net/linux/fedora/fedora-users/msg447351.html
but compiling your own OpenSSL 1.0.1g is certainly safe in this regard.

Changing the library/recompiling is the easy part, "fixing" the damage is harder, since heartbleed allows to read the memory (tcp buffers, etc.). One should change all HTTP authentication credentials, which were ever transported over affected SSL channels, after the leak was fixed. .... also for external sites. Also, getting new certificates might not be a bad idea.

Collapse
Posted by Neophytos Demetriou on
[quote]

More OSS marketing like Heartbleed, please.

--- http://www.kalzumeus.com/2014/04/09/what-heartbleed-can-teach-the-oss-community-about-marketing/
[/quote]

Collapse
Posted by Michael Aram on
Dear community,

jfyi, another vulnerability in OpenSSL has just been announced:
SSL/TLS MITM vulnerability (CVE-2014-0224)

Kind regards, Michael
Collapse
Posted by Maurizio Martignano on
Dear all,
this is just for information.
The Windows Port of OpenACS/Naviserver is using OpenSSL-1.1.0e.

Maurizio