Results 1 to 8 of 8

Thread: URGENT: Please consider updating asap libSSL to version 1.0.1g, cf: CVE-2014-0160

  1. #1
    Moderator Moderator
    Join Date
    Mar 2004
    Location
    Menlo Park, California
    Posts
    674

    URGENT: Please consider updating asap libSSL to version 1.0.1g, cf: CVE-2014-0160

    Hello,
    This week is going to be quite interesting...
    Now that the word has been released it will be a world wide a race between
    the Hackers and the Sys Admins trying to fix this nasty "Heart Bleed"
    libSSL bug before too much "cloud data" get stolen & users get very upset.
    Please consider updating asap libSSL to version 1.0.1g, cf: CVE-2014-0160
    https://heartbleed.com/
    http://filippo.io/Heartbleed/
    http://blog.existentialize.com/diagn...bleed-bug.html
    Cheers,
    Gilles

  2. #2
    Senior Member registered user
    Join Date
    May 2006
    Location
    Columbia, Maryland USA
    Posts
    1,631
    Quote Originally Posted by ruymbeke View Post
    Please consider updating asap libSSL to version 1.0.1g, cf: CVE-2014-0160
    Gilles
    Greetings, Gilles.

    Thanks for the warning.

    FYI, reloading Synaptic on Knoppix 7.2 gives only an upgrade to 1.0.1e2,
    which your references say is still vulnerable.

    How would inexpert users like myself bring in libSSL 1.0.1g?

    Also, for information, if users like myself are only using the stock
    Knoppix LiveUSB with no additional ports left open, might this precaution
    be unnecessary?

    Code:
    Starting Nmap 6.00 ( http://nmap.org ) at 2014-04-09 10:57 UTC
    Nmap scan report for 192.168.1.3
    Host is up (0.00057s latency).
    All 1000 scanned ports on 192.168.1.3 are closed
    
    Nmap done: 1 IP address (1 host up) scanned in 0.11 second
    Thanks & Best Regards.

  3. #3
    Moderator Moderator
    Join Date
    Mar 2004
    Location
    Menlo Park, California
    Posts
    674
    Hi Utu,
    As always there are more than one way to solve a problem.
    To patch your setup with synaptic (as root) you need to:
    1) Reload package information (under the edit menu)
    2) Search for "libSSL" and select (left click) on "libssl1.0.0"
    3) Choose "force version" (under the edit menu) and select "1.0.1g-2 (testing)"
    4) Apply button after accept & confirm the changes ("Mark", "Ok" & "Forward" buttons)
    5) Check the libSSL "g" version: using: "openssl version"
    OpenSSL 1.0.1c 10 May 2012 (Library: OpenSSL 1.0.1g 7 Apr 2014)
    Hope this helps,
    Best Regards,
    Gilles

    PS: This vulnerability is really an serious issue for the servers using SSL
    (as the web server Apache) and which are connected to the public Internet.

  4. #4
    Senior Member registered user
    Join Date
    May 2006
    Location
    Columbia, Maryland USA
    Posts
    1,631
    Quote Originally Posted by ruymbeke View Post
    3) Choose "force version" (under the edit menu) and select "1.0.1g-2 (testing)"
    Thanks, Gilles. This worked like a charm.

    Code:
    knoppix@Microknoppix:~$ openssl version 
    OpenSSL 1.0.1e 11 Feb 2013 (Library: OpenSSL 1.0.1g 7 Apr 2014)
    I got this probably since I upgrated to g1 first, then g2.
    Last edited by utu; 04-09-2014 at 08:11 PM.

  5. #5
    Moderator Moderator
    Join Date
    Nov 2010
    Location
    Germany/ Dietzenbach
    Posts
    1,124
    This vulnerability is really an serious issue for the servers using SSL
    (as the web server Apache) and which are connected to the public Internet.
    I hope nobody will do this with Knoppix. If you want to offer services like for example Apache, Exim and so on you cannot use a LiveCD like Knoppix for this.
    Last edited by Werner P. Schulz; 04-09-2014 at 09:43 PM.

  6. #6
    Senior Member registered user
    Join Date
    May 2006
    Location
    Columbia, Maryland USA
    Posts
    1,631
    .
    In using Knoppix to make internet contact with sites such as
    Amazon or Yahoo, I may transmit private information, expecting
    the communication is secure using the https protocol to
    communicate.

    Does my OS's implementation of SSL make any difference
    in the security of this communication or is it only the
    SSL implementation of the https site that is important?

  7. #7
    Moderator Moderator
    Join Date
    Nov 2010
    Location
    Germany/ Dietzenbach
    Posts
    1,124
    If you communicate with Amazon or Yahoo you are on the client side, not the server.

    But you should change your password as soon as possible and never use the same password for different connections, email and so on.

  8. #8
    Senior Member registered user
    Join Date
    May 2006
    Location
    Columbia, Maryland USA
    Posts
    1,631
    .
    For those who don't follow the mailing list, here's KK's clarification on this topic:
    https://lists.debian.org/debian-knop.../msg00004.html

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  


A-Tech 8GB DDR3 1600 PC3-12800 Laptop SODIMM 204-Pin Memory RAM PC3L DDR3L 1x 8G picture

A-Tech 8GB DDR3 1600 PC3-12800 Laptop SODIMM 204-Pin Memory RAM PC3L DDR3L 1x 8G

$13.99



HyperX FURY RAM DDR4 16GB 8GB 32GB 4GB 3200 2666 2400 2133 Desktop Memory DIMM picture

HyperX FURY RAM DDR4 16GB 8GB 32GB 4GB 3200 2666 2400 2133 Desktop Memory DIMM

$9.64



CRUCIAL DDR3L 8GB 16GB 32GB 1600 MHz PC3-12800 Laptop Memory RAM SODIMM 204-Pin picture

CRUCIAL DDR3L 8GB 16GB 32GB 1600 MHz PC3-12800 Laptop Memory RAM SODIMM 204-Pin

$14.35



A-Tech 8GB PC3-12800 Desktop DDR3 1600 MHz Non ECC 240-Pin DIMM Memory RAM 1x 8G picture

A-Tech 8GB PC3-12800 Desktop DDR3 1600 MHz Non ECC 240-Pin DIMM Memory RAM 1x 8G

$13.99



A-Tech 16GB 2 x 8GB PC3-12800 Laptop SODIMM DDR3 1600 Memory RAM PC3L 16G DDR3L picture

A-Tech 16GB 2 x 8GB PC3-12800 Laptop SODIMM DDR3 1600 Memory RAM PC3L 16G DDR3L

$27.98



Team T-FORCE VULCAN Z 16GB (2 x 8GB) 288-Pin PC RAM DDR4 3200 (PC4 25600) Intel picture

Team T-FORCE VULCAN Z 16GB (2 x 8GB) 288-Pin PC RAM DDR4 3200 (PC4 25600) Intel

$35.99



HMT84GL7AMR4C-RD 32GB DDR3 Server Memory RAM 14900L ECC REG 4Rx4 SK Hynix Cisco picture

HMT84GL7AMR4C-RD 32GB DDR3 Server Memory RAM 14900L ECC REG 4Rx4 SK Hynix Cisco

$13.99



HyperX FURY DDR4 4GB 8GB 16GB 32GB 3200 2400 2666 Desktop RAM Memory DIMM 288pin picture

HyperX FURY DDR4 4GB 8GB 16GB 32GB 3200 2400 2666 Desktop RAM Memory DIMM 288pin

$23.15



Hynix 64GB 4Rx4 PC4-2133P-L LRDIMM DDR4-17000 ECC Load Reduced Server Memory RAM picture

Hynix 64GB 4Rx4 PC4-2133P-L LRDIMM DDR4-17000 ECC Load Reduced Server Memory RAM

$64.99



Kingston HyperX FURY DDR3 8GB 16GB 32G 1600 1866 1333 Desktop Memory RAM DIMM picture

Kingston HyperX FURY DDR3 8GB 16GB 32G 1600 1866 1333 Desktop Memory RAM DIMM

$39.95