[Cialug] CentOS SSL

Daniel A. Ramaley daniel.ramaley at drake.edu
Wed Apr 9 17:28:07 CDT 2014 

Do you have any links that back up the "growing evidence" that the bug 
has been exploited? Yesterday we had a fun night at work patching 
everything. But i'd like to make the argument to management that we 
really ought to rotate our certificates as well. Since we *just* did 
that due to expiration, i'm going to need some evidence to corroborate 
the need for it.

On 2014-04-09 at 10:05:42 Josh More wrote:
> Yep, the update for CentOS came out really early yesterday morning.
> 
> Remember, after you update, restart Apache (and OpenVPN if you're
> using it).  Then regen your keys and have new certs issued.
> 
> There is growing evidence that people have been collecting data using
> this bug, and this bug is two years old.  There's no way to be sure
> your data was compromised, so you're best off just regenerating
> everything you need.
> 
> -Josh
> 
> On Wed, Apr 9, 2014 at 9:47 AM, Daniel Sloan <dan.sloan at drake.edu> 
wrote:
> > Here's a nice reference: http://heartbleed.com/
> > 
> > From the site:
> > "What versions of the OpenSSL are affected?
> > 
> > Status of different versions:
> >     OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
> >     OpenSSL 1.0.1g is NOT vulnerable
> >     OpenSSL 1.0.0 branch is NOT vulnerable
> >     OpenSSL 0.9.8 branch is NOT vulnerable
> > 
> > Bug was introduced to OpenSSL in December 2011 and has been out in
> > the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL
> > 1.0.1g released on 7th of April 2014 fixes the bug.....
> > 
> >  How about operating systems?
> > 
> > Some operating system distributions that have shipped with
> > potentially> 
> > vulnerable OpenSSL version:
> >     Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
> >     Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
> >     CentOS 6.5, OpenSSL 1.0.1e-15
> >     Fedora 18, OpenSSL 1.0.1e-4
> >     OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c
> >     10
> > 
> > May 2012)
> > 
> >     FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
> >     NetBSD 5.0.2 (OpenSSL 1.0.1e)
> >     OpenSUSE 12.2 (OpenSSL 1.0.1c)
> > 
> > Operating system distribution with versions that are not vulnerable:
> >     Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
> >     SUSE Linux Enterprise Server
> >     FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013
> >     FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013
> >     FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)"
> > 
> > Dan Sloan
> > Systems Administrator
> > College of Business and Public Administration
> > Drake University
> > Des Moines, IA 50311
> > Phone # (515)-271-3705
> > College Webpage:  http://www.cbpa.drake.edu
> > 
> > 
> > 
> > 
> > -----Original Message-----
> > From: cialug-bounces at cialug.org [mailto:cialug-bounces at cialug.org]
> > On
> > Behalf Of L. V. Lammert
> > Sent: Wednesday, April 09, 2014 9:19 AM
> > To: Central Iowa Linux Users Group
> > Subject: [Cialug] CentOS SSL
> > 
> > Has anyone seen data on the Heartbleed status for CentOS? What
> > versions are affected? Remediation?
> > 
> >         Lee
> > 
> > _______________________________________________
> > Cialug mailing list
> > Cialug at cialug.org
> > http://cialug.org/mailman/listinfo/cialug
> > _______________________________________________
> > Cialug mailing list
> > Cialug at cialug.org
> > http://cialug.org/mailman/listinfo/cialug
> 
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
__
Daniel A. Ramaley
Network Engineer 2

Dial Center 122, Drake University
2407 Carpenter Ave / Des Moines IA 50311 USA
Tel: +1 515 271-4540
Fax: +1 515 271-1938
E-mail: daniel.ramaley at drake.edu

More information about the Cialug mailing list