[Cialug] CentOS SSL
Daniel A. Ramaley
daniel.ramaley at drake.edu
Wed Apr 9 17:56:52 CDT 2014
That's probably enough of a starting point for what i need to argue.
Thank you!
On 2014-04-09 at 17:53:02 Josh More wrote:
> I don't have anything public, though some might be released at
> tonight's SANS webcast. (
> https://www.sans.org/webcasts/openssl-heartbleed-vulnerability-98105 )
>
> There has been a lot of discussion on several private security lists.
> Signatures are being written for the common IDS systems (Tipping Point
> and SourceFire are mostly what are being discussed) and people have
> been going through their saved packet captures. Many are reporting
> tons of hits starting on Monday. A smaller number are reporting hits
> stretching back through the last year or two.
>
> The problem is that you can't easily tell a legit heartbeat hit from a
> malicious one. However, evidence strongly suggests that it's been
> actively abused since Monday and likely abused prior to that.
>
> If you have old packet captures to analyze, this might be the evidence
> you need. If not, it's your call as to whether it's worth the
> hassle. If you are responsible for protecting a lot of people's
> sensitive information or a few people's critical information, I'd say
> it probably is. If not, probably not.
>
> -Josh
>
>
>
> On Wed, Apr 9, 2014 at 5:28 PM, Daniel A. Ramaley
>
> <daniel.ramaley at drake.edu>wrote:
> > Do you have any links that back up the "growing evidence" that the
> > bug has been exploited? Yesterday we had a fun night at work
> > patching everything. But i'd like to make the argument to
> > management that we really ought to rotate our certificates as well.
> > Since we *just* did that due to expiration, i'm going to need some
> > evidence to corroborate the need for it.
> >
> > On 2014-04-09 at 10:05:42 Josh More wrote:
> > > Yep, the update for CentOS came out really early yesterday
> > > morning.
> > >
> > > Remember, after you update, restart Apache (and OpenVPN if you're
> > > using it). Then regen your keys and have new certs issued.
> > >
> > > There is growing evidence that people have been collecting data
> > > using
> > > this bug, and this bug is two years old. There's no way to be
> > > sure
> > > your data was compromised, so you're best off just regenerating
> > > everything you need.
> > >
> > > -Josh
> > >
> > > On Wed, Apr 9, 2014 at 9:47 AM, Daniel Sloan <dan.sloan at drake.edu>
> >
> > wrote:
> > > > Here's a nice reference: http://heartbleed.com/
> > > >
> > > > From the site:
> > > > "What versions of the OpenSSL are affected?
> > > >
> > > > Status of different versions:
> > > > OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
> > > > OpenSSL 1.0.1g is NOT vulnerable
> > > > OpenSSL 1.0.0 branch is NOT vulnerable
> > > > OpenSSL 0.9.8 branch is NOT vulnerable
> > > >
> > > > Bug was introduced to OpenSSL in December 2011 and has been out
> > > > in
> > > > the wild since OpenSSL release 1.0.1 on 14th of March 2012.
> > > > OpenSSL
> > > > 1.0.1g released on 7th of April 2014 fixes the bug.....
> > > >
> > > > How about operating systems?
> > > >
> > > > Some operating system distributions that have shipped with
> > > > potentially>
> > > >
> > > > vulnerable OpenSSL version:
> > > > Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
> > > > Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
> > > > CentOS 6.5, OpenSSL 1.0.1e-15
> > > > Fedora 18, OpenSSL 1.0.1e-4
> > > > OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL
> > > > 1.0.1c
> > > > 10
> > > >
> > > > May 2012)
> > > >
> > > > FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
> > > > NetBSD 5.0.2 (OpenSSL 1.0.1e)
> > > > OpenSUSE 12.2 (OpenSSL 1.0.1c)
> > > >
> > > > Operating system distribution with versions that are not
vulnerable:
> > > > Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
> > > > SUSE Linux Enterprise Server
> > > > FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013
> > > > FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013
> > > > FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)"
> > > >
> > > > Dan Sloan
> > > > Systems Administrator
> > > > College of Business and Public Administration
> > > > Drake University
> > > > Des Moines, IA 50311
> > > > Phone # (515)-271-3705
> > > > College Webpage: http://www.cbpa.drake.edu
> > > >
> > > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: cialug-bounces at cialug.org
> > > > [mailto:cialug-bounces at cialug.org]
> > > > On
> > > > Behalf Of L. V. Lammert
> > > > Sent: Wednesday, April 09, 2014 9:19 AM
> > > > To: Central Iowa Linux Users Group
> > > > Subject: [Cialug] CentOS SSL
> > > >
> > > > Has anyone seen data on the Heartbleed status for CentOS? What
> > > > versions are affected? Remediation?
> > > >
> > > > Lee
> > > >
> > > > _______________________________________________
> > > > Cialug mailing list
> > > > Cialug at cialug.org
> > > > http://cialug.org/mailman/listinfo/cialug
> > > > _______________________________________________
> > > > Cialug mailing list
> > > > Cialug at cialug.org
> > > > http://cialug.org/mailman/listinfo/cialug
> > >
> > > _______________________________________________
> > > Cialug mailing list
> > > Cialug at cialug.org
> > > http://cialug.org/mailman/listinfo/cialug
> >
> > __
> > Daniel A. Ramaley
> > Network Engineer 2
> >
> > Dial Center 122, Drake University
> > 2407 Carpenter Ave / Des Moines IA 50311 USA
> > Tel: +1 515 271-4540
> > Fax: +1 515 271-1938
> > E-mail: daniel.ramaley at drake.edu
__
Daniel A. Ramaley
Network Engineer 2
Dial Center 122, Drake University
2407 Carpenter Ave / Des Moines IA 50311 USA
Tel: +1 515 271-4540
Fax: +1 515 271-1938
E-mail: daniel.ramaley at drake.edu
More information about the Cialug
mailing list