Posted on 04/08/2014 11:13:55 AM PDT by Utilizer
A serious vulnerability in the popular OpenSSL cryptographic library has been discovered that allows attackers to steal information unnoticed.
Known as the Heartbleed bug, the vulnerability allows anyone on the Internet to read the memory of systems that run vulnerable versions of OpenSSL, revealing the secret authentication and encryption keys to protect the traffic. User names, passwords and the actual content of the communications can also be read.
...
OpenSSL recommends that uses immediately upgrade to version 1.0.1g. If that's not possible, users should recompile OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag to remove the the heartbeat handshake. The 1.0.2 version of OpenSSL will be fixed with beta 2.
Debian Wheezy, Ubuntu 12.04.4 LTS, Centos 6.5, Fedora 18, OpenBSD 5.3, FreeBSD 8.4, NetBSD 5.0.2 and OpenSUSE 12.2 are all listed as vulnerable...
(Excerpt) Read more at itnews.com.au ...
Fedora 20 wasn't on the list of affected distros, so you're probably fine.
If you want to run a check, this webpage is an excellent resource:
Remember, even if your external domain name scanned clean, that doesn't mean that your internal security is safe.
This is too glaring of a hole to be NSA. NSA is much more devious, going so far as to inject their own backdoors into core kernel components in the Windows, iOS, and Android operating systems. This is script-kiddie stuff but still big enough to be a major problem.
Far too many people are not so ready to admit to errors. You at the very least I found to be with your quick response able to bring a smile on. I too am never leery of learning from any mistake I make, so at your quick repost I was snickering along with you.
Good to get a smile and a laugh going sometimes.
And yes, I well know that others will be very quick to pile on when one does make a mistake, however I have never failed to accept constructive criticism as anything other than a learning experience. *grin*
Cheers!
FR is a great place, but you have to be willing to take a little good natured abuse. I saw some newbie get zotted the other day because he went ballistic on someone commenting on an unclear subject of his post. If he'd just responded with a "yeah, that wasn't as clear as it could be, what I meant was ..." Instead he got more and more nasty about it down thread, and people responded in kind. Eventually the mods zotted him for being an ass.
Maybe he'll learn from it, but somehow I doubt it.
Yeah roger that. I realise they aren't the same, but openssh uses code from openssl (says so right in the version string). Gotta wonder if there aren't similar issues there. I'm sure folks are looking the potential to subvert ssh as well now. Paranoia with crypto software is a good thing. I'd prefer my ssh to be compiled against the 'g' code fix just to be sure.
OpenSSH generates private keys for a hash and discards them, if I’m not mistaken. The problem with this vulnerability is that private keys can be compromised, thus making encryption worthless.
Nope
Where I work we run Redhat, CentOS and AIX for our UNIX servers. I'm responsible for the AIX portion and I've been testing a fix this morning. If you use openssl, and are running the affected versions, you are vulnerable no matter what flavor of OS you are running.
We’re a big RHEL shop here, but they use F5s for certificates along with VeriSign. Very little scuttlebutt this morning about it.
Good to know. Yeah, the keys are regenerated, but they have a lifespan. I'm showing a default regeneration interval of 1H on my system, and that's about what I remember from looking at it in the past, so it's not that bad. The more I read on this, it sounds like the attack vector on this is such that it is likely the surface are of ssh is pretty small, if it exists at all. That makes me happy, but doesn't completely dispell my inborn paranoia. :-) I expect to see new ssh binaries in the pipeline soon enough. The folks who maintain ssh are pretty paranoid as well, so they'll likely take a close look at the fix first to make sure it doesn't break anything else. SSH is a critical utility.
I only use the CLI for OpenSSH to generate login keys for my jump servers. This allows me to turn off password-based authentication and use certificates only. That reduces the chance of a successful brute force attack manifold.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.