Print

Print


Thanks for this, wouldn't have known otherwise, but there goes my Wednesday!

Riley Childs
Student
Asst. Head of IT Services
Charlotte United Christian Academy
(704) 497-2086
RileyChilds.net
Sent from my Windows Phone, please excuse mistakes
________________________________
From: Thomas Bennett<mailto:[log in to unmask]>
Sent: 4/8/2014 3:01 PM
To: [log in to unmask]<mailto:[log in to unmask]>
Subject: Re: [CODE4LIB] Serious vulnerability in OpenSSL

There is this one for CentOS 6

http://people.centos.org/z00dax/disable_heartbeat/x86_64/Packages/

They are "disabled_heartbeat" versions, download your version and use

rpm -ivh --force your_version_here

to overwrite your current openssl executable.



The following were sent out from our campus network security guy:


For those running any of the following distributions, updates to
OpenSSL are now available:

Ubuntu
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-0160.html

Debian
https://security-tracker.debian.org/tracker/CVE-2014-0160

RHEL
http://rhn.redhat.com/errata/RHSA-2014-0376.html

CentOS
http://lists.centos.org/pipermail/centos-announce/2014-April/020249.html

Gentoo
http://www.gentoo.org/security/en/glsa/glsa-201404-07.xml

Cygwin (okay, not a distribution, but they were second only behind
            Gentoo in patching)
http://cygwin.com/packages/x86/libopenssl100/

kmw



Thomas



Sent from me, not an iThing, droid or other, just me

====================================================
Support Request                http://portal.support.appstate.edu
====================================================
Thomas McMillan Grant Bennett           Appalachian State University
Operations & Systems Analyst            P O Box 32026
University Library                                Boone, North Carolina 28608
(828) 262 6587
Library Systems                              http://www.library.appstate.edu
====================================================

Confidentiality Notice:
This communication constitutes an electronic communication within the meaning of the Electronic Communications Privacy Act, 18 U.S.C. Section 2510, and its disclosure is strictly limited to the recipient intended by the sender of this message.  If you are not the intended recipient, any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED.  Please contact this office immediately by return e-mail or at 828-262-6587, and destroy the original transmission and its attachment(s), if any, if you are not the intended recipient.

On Apr 8, 2014, at 10:12 AM, Becky Yoose wrote:

> Thanks for forwarding this along, Cary. I've been patching this morning,
> and am now in the process of determine needs for new certs. (sigh...)
>
> If you need some guidance in patching your server, here are a couple of
> links to start y'all out:
>
> Ubuntu-related patch info - https://gist.github.com/coderanger/10084033 ;
> http://askubuntu.com/questions/444702/how-to-patch-cve-2014-0160-in-openssl/444829#444829
> https://serverfault.com/questions/587329/heartbleed-what-is-it-and-what-are-options-to-mitigate-it
> https://security.stackexchange.com/questions/55075/does-heartbleed-mean-new-certificates-for-every-ssl-server/55087
> https://unix.stackexchange.com/questions/123711/how-do-i-recover-from-the-heartbleed-bug-in-openssl
>
> Thanks,
> Becky, who already broke into her chocolate stash before 8:45 in the
> morning.
>
>
>
> On Tue, Apr 8, 2014 at 9:06 AM, Cary Gordon <[log in to unmask]> wrote:
>
>> Please read this page and its supporting documents about the Heartbleed
>> Bug.
>>
>> http://heartbleed.com/
>>
>> If you use OpenSSL, and most service providers do, you should patch your
>> servers ASAP.  OpenSSL versions 1.0.1 through 1.0.1f (inclusive) are
>> vulnerable. Only version 1.0.1g or newer should be used.
>>
>> Apologies for multiple postings.
>>
>> Thanks,
>>
>> Cary
>>
>> Cary Gordon
>> The Cherry Hill Company
>> Los Angeles, CA
>>