-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Dear all,
We are very concerned about the 'Heartbeat' security problem which has been discovered with OpenSSL. Thanks to our out-of-date old-stable version of debian, we are using: openssl 0.9.8o-4squeeze14 This page also claims debian 6 (which we use) is unaffected: https://www.digitalocean.com/community/articles/how-to-protect-your-server-against-the-heartbleed-openssl-vulnerability as does the text of the DSA below. However, both of the heartbeat vulnerability checkers we have used have told us that they were able to successfully exploit this vulnerability against our site: http://filippo.io/Heartbleed/#noflag.org.uk https://www.ssllabs.com/ssltest/analyze.html?d=noflag.org.uk What could be going on here? Thanks in advance for all your help, Daniel Salvatore Bonaccorso wrote: > ------------------------------------------------------------------------- > > Debian Security Advisory DSA-2896-1 secur...@debian.org > http://www.debian.org/security/ Salvatore > Bonaccorso April 07, 2014 > http://www.debian.org/security/faq > ------------------------------------------------------------------------- > > Package : openssl CVE ID : CVE-2014-0160 Debian Bug > : 743883 > > A vulnerability has been discovered in OpenSSL's support for the > TLS/DTLS Hearbeat extension. Up to 64KB of memory from either client > or server can be recovered by an attacker This vulnerability might > allow an attacker to compromise the private key and other sensitive > data in memory. > > All users are urged to upgrade their openssl packages (especially > libssl1.0.0) and restart applications as soon as possible. > > According to the currently available information, private keys should > be considered as compromised and regenerated as soon as possible. > More details will be communicated at a later time. > > The oldstable distribution (squeeze) is not affected by this > vulnerability. > > For the stable distribution (wheezy), this problem has been fixed in > version 1.0.1e-2+deb7u5. > > For the testing distribution (jessie), this problem has been fixed > in version 1.0.1g-1. > > For the unstable distribution (sid), this problem has been fixed in > version 1.0.1g-1. > > We recommend that you upgrade your openssl packages. > > Further information about Debian Security Advisories, how to apply > these updates to your system and frequently asked questions can be > found at: http://www.debian.org/security/ > > Mailing list: debian-security-annou...@lists.debian.org > > -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCgAGBQJTSAmqAAoJEJhsX8U2K7jUaD0H/2FUZIr4qKST1NCAKrgjP53V jQknF8erQrGhUrP1hKE2FckuKJljeUAv6rUEVJCiuEPWmCgL08Eoy1SZuIG2S72q vRbfyYaIz2GKVoGdbkW0GMe963mLUhJ1H5PdcPrsApUZ9AcwQPYKGqLx4/TTrOsB nbr19ELLQbZCfE8SsUuMDpy/bHeF3c9gb5iUhcnpow6KIjzYGKaJfhiV6HxVlkDX krdkegdOUn2wKu/deLoARpMqyz6a7son8YcbQ71/XIogtGnxY0L4T9Nabj4NChB/ ggIu+7x62teyb56vToySrXKF5HaqDE2Bna7cJSlD0ia64ME1yG/4joL93Jt10IY= =kDpQ -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/534809aa.2000...@noflag.org.uk
