CVE-2014-0160?

Fri, 11 Apr 2014 04:37:28 -0700 

Hello

Could anyone comment this? Worry, not to worry, upgrade, upgrade to what 
version?

There are few contradicting information coming out in regards to the check of 
my server related to the 'heartbleed' bug:

1. http://heartbleed.com/

...
Status of different versions:

--->    OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
    OpenSSL 1.0.1g is NOT vulnerable
    OpenSSL 1.0.0 branch is NOT vulnerable
    OpenSSL 0.9.8 branch is NOT vulnerable
...
How about operating systems?

Some operating system distributions that have shipped with potentially 
vulnerable OpenSSL version:

    Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
    Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
    CentOS 6.5, OpenSSL 1.0.1e-15
    Fedora 18, OpenSSL 1.0.1e-4
    OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 
2012)
--->    FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
    NetBSD 5.0.2 (OpenSSL 1.0.1e)
    OpenSUSE 12.2 (OpenSSL 1.0.1c)

Operating system distribution with versions that are not vulnerable:

    Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
    SUSE Linux Enterprise Server
    FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013
    FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013
--->    FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)
...

2. lynx -dump -head http://localhost/

HTTP/1.1 200 OK
Date: Fri, 11 Apr 2014 08:10:11 GMT
Server: Apache/2.2.26 (FreeBSD) PHP/5.4.24 SVN/1.7.14 mod_ssl/2.2.26
---> OpenSSL/1.0.1e-freebsd
DAV/2 mod_python/3.3.1 Python/2.7.6 mod_perl/2.0.8 Perl/v5.16.3
Last-Modified: Wed, 12 Feb 2014 13:29:34 GMT
ETag: "278b56-2c-4f235903dcb80"
Accept-Ranges: bytes
Content-Length: 44
Connection: close
Content-Type: text/html

3. http://possible.lv/tools/hb/?domain=xxx

ext 65281 (renegotiation info, length=1)
ext 00011 (EC point formats, length=4)
ext 00035 (session ticket, length=0)
ext 00015 (heartbeat, length=1) <-- Your server supports heartbeat. Bug is 
possible when linking against OpenSSL 1.0.1f or older. Let me check.
Actively checking if CVE-2014-0160 works: Server is vulnerable to all attacks 
tested, please upgrade software ASAP.

4. pkg audit

0 problem(s) in the installed packages found.


Cheers
B.
                                          
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Reply via email to