Arch Linux

gnarliprime

Member

Registered: 2011-09-01

Posts: 11

[SOLVED] new openssl vulnerability

I wasn't sure where to put this, but didn't see an official roll of the patched non vulnerable version of openssl except the one in testing, anyone know if one is in the works or should we start patching/compiling/downgrading?

CVE-2014-0160

http://heartbleed.com/
http://web.nvd.nist.gov/view/vuln/detai … -2014-0160

Last edited by gnarliprime (2014-04-08 03:59:19)

Scimmia

Fellow

Registered: 2012-09-01

Posts: 12,081

Re: [SOLVED] new openssl vulnerability

Yes, the one in testing is the fixed one, and there's already a bug report on the bug tracker to make sure the maintainer is aware that this needs to go to core ASAP.

gnarliprime

Member

Registered: 2011-09-01

Posts: 11

Re: [SOLVED] new openssl vulnerability

awesome, I appreciate the quick response. I'll keep an eye out and watch for an update or manually patch it if its going to take some time.

Scimmia

Fellow

Registered: 2012-09-01

Posts: 12,081

Re: [SOLVED] new openssl vulnerability

It's gone to core already, so just update and you'll be covered.

gnarliprime

Member

Registered: 2011-09-01

Posts: 11

Re: [SOLVED] new openssl vulnerability

just grabbed it and looks good, I think we should be good to mark this as solved but not familiar enough with the interface to do so

Inxsible

Forum Fellow

From: Chicago

Registered: 2008-06-09

Posts: 9,183

Re: [SOLVED] new openssl vulnerability

edit your first post and append [SOLVED] to the thread title.

---

Forum Rules

There's no such thing as a stupid question, but there sure are a lot of inquisitive idiots !

stqn

Member

Registered: 2010-03-19

Posts: 1,191

Website

Re: [SOLVED] new openssl vulnerability

Unfortunately, as far as I understand it, it’s far from solved because the whole internet needs to update openssl AND change their keys and passwords… :-/ The NSA or anyone could have compromised a lot of services in the past two years.

Last edited by stqn (2014-04-09 15:31:23)

karol

Archivist

Registered: 2009-05-06

Posts: 25,440

Re: [SOLVED] new openssl vulnerability

I wasn't sure where to put this

There's https://wiki.archlinux.org/index.php/Ar … oring_Team , https://wiki.archlinux.org/index.php/CVE-2014 and https://mailman.archlinux.org/mailman/l … h-security

Awebb

Member

Registered: 2010-05-06

Posts: 6,601

Re: [SOLVED] new openssl vulnerability

Sorry for the necro-OT, but this is hilarious! Even the least techno-affine news blogs in Germany report, that this is the bug to destroy mankind and the only topic on the Arch bbs is like...
User: "there is a bug"
Arch: "thx, fixed"
User: "that was quick, lol"

Now excuse me while I waste a few vacation days to sanitize all my VPS and servers running Debian...

charlie

Member

Registered: 2013-09-18

Posts: 57

Re: [SOLVED] new openssl vulnerability

Shouldn't libssl be also updated?

http://filippo.io/Heartbleed/faq.html#sure

EDIT

The current version on my system seems to be 1.0.0 (after update today):

$ ls /usr/lib/libssl*
/usr/lib/libssl3.so  /usr/lib/libssl.so  /usr/lib/libssl.so.1.0.0

OpenSSL version 1.0.0 is not vulnerable according to http://heartbleed.com/

So i suspect it means this is ok?

Nevertheless I am not sure this is the correct way to check the version of a lib.

By the way shouldn't be the version of libssl the same as the version of openssl?

Last edited by charlie (2014-04-09 18:18:51)

maggie

Member

Registered: 2011-02-12

Posts: 255

Re: [SOLVED] new openssl vulnerability

I am confused about this. If I access my linux box from away from home using keys based ssh, should I now regenerate my private key?

anatolik

Developer

Registered: 2012-09-27

Posts: 458

Re: [SOLVED] new openssl vulnerability

should I now regenerate my ssh private key?

No, this bug affects only TLS protocol http://serverfault.com/questions/587433 … s-affected

---

Read it before posting http://www.catb.org/esr/faqs/smart-questions.html
Ruby gems repository done right https://bbs.archlinux.org/viewtopic.php?id=182729
Fast initramfs generator with security in mind https://wiki.archlinux.org/index.php/Booster

progandy

Member

Registered: 2012-05-17

Posts: 5,259

Re: [SOLVED] new openssl vulnerability

I am confused about this. If I access my linux box from away from home using keys based ssh, should I now regenerate my private key?

AFAIK the bug is/was in the TLS protocol. What servers do you have running? If the only thing you have is the ssh server you should be save I think since it doesn't use TLS. If you also have a HTTPS server or an SMTP server you might still want to recreate your keys.

Last edited by progandy (2014-04-09 19:31:27)

---

| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Gulver

Member

Registered: 2013-05-24

Posts: 208

Re: [SOLVED] new openssl vulnerability

I'm seeing in most of my google connections an SSL Error, just to refresh the page for five times to get a proper response; Is this somehow related?
I mean, if that's a planned operation against a few computer operators, I wonder so hard why would someone want my torrent prons and cheap translation works.

Couldn't help myself but had to post this

Last edited by Gulver (2014-04-09 19:49:22)

Roken

Member

From: South Wales, UK

Registered: 2012-01-16

Posts: 1,281

Re: [SOLVED] new openssl vulnerability

Posted for info only. Please feel free to move it if it's more appropriate somewhere else:

Email received today (and yes, it's verified as correct)

here are news [1] about a bug in OpenSSL that may allow an attacker to
leak arbitrary information from any process using OpenSSL. [2]

We contacted you, because you have subscribed to get general announcements,
or you have had a server certificate since the bug was introduced into the
OpenSSL releases and are especially likely to be affected by it.

CAcert is not responsible for this issue. But we want to inform members
about it, who are especially likely to be vulnerable or otherwise affected.


Good news:
==========
Certificates issued by CAcert are not broken and our central systems did
not leak your keys.


Bad news:
=========
Even then you may be affected.

Although your keys were not leaked by CAcert your keys on your own systems
might have been compromised if you were or are running a vulnerable version
of OpenSSL.


To elaborate on this:
=====================
The central systems of CAcert and our root certificates are not affected by
this issue. Regrettably some of our infrastructure systems were affected by
the bug. We are working to fix them and already completed work for the most
critical ones. If you logged into those systems, within the last two years,
(see list in the blog post) you might be affected!

But unfortunately given the nature of this bug we have to assume that the
certificates of our members may be affected, if they were used in an
environment with a publicly accessible OpenSSL connection (e.g. Apache web
server, mail server, Jabber server, ...). The bug has been open in OpenSSL
for two years - from December 2011 and was introduced in stable releases
starting with OpenSSL 1.0.1.

When an attacker can reach a vulnerable service he can abuse the TLS
heartbeat extension to retrieve arbitrary chunks of memory by exploiting a
missing bounds check. This can lead to disclosure of your private keys,
resident session keys and other key material as well as  all volatile
memory contents of the server process like passwords, transmitted user data
(e.g. web content) as well as other potentially confidential information.

Exploiting this bug does not leave any noticeable traces, thus for any
system which is (or has been) running a vulnerable version of OpenSSL you
must assume  that at least your used server keys are compromised and
therefore must be replaced by newly generated ones. Simply renewing
existing certificates is not sufficient! - Please generate NEW keys with at
least 2048 bit RSA or stronger!

As mentioned above this bug can be used to leak passwords and thus you
should consider changing your login credentials to potentially compromised
systems as well as any other system where those credentials might have been
used as soon as possible.

An (incomplete) list of commonly used software which include or link to
OpenSSL can be found at [5].


What to do?
===========
- Ensure that you upgrade your system to a fixed OpenSSL version (1.0.1g or
above).
- Only then create new keys for your certificates.
- Revoke all certificates, which may be affected.
- Check what services you have used that may have been affected within the
last two years.
- Wait until you think that those environments got fixed.
- Then (and only then) change your credentials for those services. If you
do it too early, i.e. before the sites got fixed, your data may be leaked,
again. So be careful when you do this.


CAcert's response to the bug:
=============================
- We updated most of the affected infrastructure systems and created new
certificates for them. The remaining will follow, soon.
- We used this opportunity to upgrade to 4096 bit RSA keys signed with
SHA-512. The new fingerprints can be found in the list in the blog post.

- With this email we contact all members, who had active server
certificates within the last two years.
- We will keep you updated, in the blog.

A list of affected and fixed infrastructure systems and new information can
be found at:

---

Ryzen 5900X 12 core/24 thread - RTX 3090 FE 24 Gb, Asus Prime B450 Plus, 32Gb Corsair DDR4, Cooler Master N300 chassis, 5 HD (1 NvME PCI, 4SSD) + 1 x optical.
Linux user #545703

/ is the root of all problems.

karol

Archivist

Registered: 2009-05-06

Posts: 25,440

Re: [SOLVED] new openssl vulnerability

Your post doesn't have any links, so I don't know if it's https://bugs.archlinux.org/task/39775 or something else.

When an attacker can reach a vulnerable service he can abuse the TLS
heartbeat extension to retrieve arbitrary chunks of memory by exploiting a
missing bounds check. 

Leads me to believe it's about the heartbeat vulnerability, but it has already been discussed on the ML and even on the forum
https://bbs.archlinux.org/viewtopic.php … 8#p1402148

Last edited by karol (2014-04-10 22:42:17)

jasonwryan

Anarchist

From: .nz

Registered: 2009-05-09

Posts: 30,424

Website

Re: [SOLVED] new openssl vulnerability

Merging...

---

Arch + dwm   •   Mercurial repos  •   Surfraw

Registered Linux User #482438