-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Thank you all for your help. Mod_spdy has a statically-linked vulnerable version of OpenSSL. After the standard update we are no longer vulnerable.
Daniel Estelmann, Christian wrote: > Your server talks spdy. Have you upgraded mod_spdy to 0.9.4.2? > > (for mod_spy you need an Apache HTTP Server 2.4.X, in squeeze there > is only 2.2.16 ...) > >> Gesendet: Freitag, 11. April 2014 um 17:26 Uhr Von: daniel >> <dan...@noflag.org.uk> An: debian-security@lists.debian.org Cc: "- >> Noflag" <ad...@lists.noflag.org.uk> Betreff: Re: [SECURITY] [DSA >> 2896-1] openssl security update >> > Dear all, > > We are very concerned about the 'Heartbeat' security problem which > has been discovered with OpenSSL. Thanks to our out-of-date > old-stable version of debian, we are using: > > openssl 0.9.8o-4squeeze14 > > This page also claims debian 6 (which we use) is unaffected: > https://www.digitalocean.com/community/articles/how-to-protect-your-server-against-the-heartbleed-openssl-vulnerability > > as does the text of the DSA below. > > However, both of the heartbeat vulnerability checkers we have used > have told us that they were able to successfully exploit this > vulnerability against our site: > > http://filippo.io/Heartbleed/#noflag.org.uk > https://www.ssllabs.com/ssltest/analyze.html?d=noflag.org.uk > > What could be going on here? > > Thanks in advance for all your help, > > Daniel > > Salvatore Bonaccorso wrote: >>>> ------------------------------------------------------------------------- >>>> >>>> > >>>> Debian Security Advisory DSA-2896-1 secur...@debian.org >>>> http://www.debian.org/security/ Salvatore >>>> Bonaccorso April 07, 2014 http://www.debian.org/security/faq >>>> ------------------------------------------------------------------------- >>>> >>>> >>>> Package : openssl CVE ID : CVE-2014-0160 Debian Bug >>>> : 743883 >>>> >>>> A vulnerability has been discovered in OpenSSL's support for >>>> the TLS/DTLS Hearbeat extension. Up to 64KB of memory from >>>> either client or server can be recovered by an attacker This >>>> vulnerability might allow an attacker to compromise the private >>>> key and other sensitive data in memory. >>>> >>>> All users are urged to upgrade their openssl packages >>>> (especially libssl1.0.0) and restart applications as soon as >>>> possible. >>>> >>>> According to the currently available information, private keys >>>> should be considered as compromised and regenerated as soon as >>>> possible. More details will be communicated at a later time. >>>> >>>> The oldstable distribution (squeeze) is not affected by this >>>> vulnerability. >>>> >>>> For the stable distribution (wheezy), this problem has been >>>> fixed in version 1.0.1e-2+deb7u5. >>>> >>>> For the testing distribution (jessie), this problem has been >>>> fixed in version 1.0.1g-1. >>>> >>>> For the unstable distribution (sid), this problem has been >>>> fixed in version 1.0.1g-1. >>>> >>>> We recommend that you upgrade your openssl packages. >>>> >>>> Further information about Debian Security Advisories, how to >>>> apply these updates to your system and frequently asked >>>> questions can be found at: http://www.debian.org/security/ >>>> >>>> Mailing list: debian-security-annou...@lists.debian.org >>>> >>>> >> >> >> -- To UNSUBSCRIBE, email to >> debian-security-requ...@lists.debian.org with a subject of >> "unsubscribe". Trouble? Contact listmas...@lists.debian.org >> Archive: https://lists.debian.org/534809aa.2000...@noflag.org.uk >> >> -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCgAGBQJTSJ6JAAoJEJhsX8U2K7jUalEH/1z4Se3I715yhKe0CKmA67qU ngPQO8OxRmq9NxdWz+S5+htXEoX8MIF0PF6MIqNmN9toMhBEgGObTuG0UlxRgVa7 6T/6JaWm45Ivl3m8t8enwRddunjFWKTU4/M91eOOsdTmGt8Y7CHuYtN3NoPUMVHf vUQeyMuWIawS+HiJl0eXTVb3522jVavnkh/WKOTcHGUeTSBBt95DErG2cldCuIXY Vbru6nsAgNdEwL7dOxpqtsyXNWfCoBJCjsDAZD2nNs1z12Zv0Dx/GHvXf9z2HnH2 3+MIXS2nzgd1+F+tzzNxXlVergp3Q9zLlELckmJwTpvKDrF/hc0eHBYosn2m05k= =N86v -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53489e89.2070...@noflag.org.uk
