Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

OpenSSL's 'Heartbleed' critical vulnerability

Here you can discuss every aspect of Debian. Note: not for support requests!
Post Reply
Message
Author
confuseling
Posts: 2121
Joined: 2009-10-21 01:03

OpenSSL's 'Heartbleed' critical vulnerability

#1 Post by confuseling »

Hot on the heels of GnuTLS, a hole has been found in OpenSSL too. And while I don't really understand much about security, this is being described as 'a really big one'.
What leaks in practice?

We have tested some of our own services from attacker's perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.

...

Am I affected by the bug?

You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL. Many of online services use TLS to both to identify themselves to you and to protect your privacy and transactions. You might have networked appliances with logins secured by this buggy implementation of the TLS. Furthermore you might have client side software on your computer that could expose the data from your computer if you connect to compromised services.

How widespread is this?

Most notable software using OpenSSL are the open source web servers like Apache and nginx. The combined market share of just those two out of the active sites on the Internet was over 66% according to Netcraft's April 2014 Web Server Survey. Furthermore OpenSSL is used to protect for example email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), virtual private networks (SSL VPNs), network appliances and wide variety of client side software. Fortunately many large consumer sites are saved by their conservative choice of SSL/TLS termination equipment and software. Ironically smaller and more progressive services or those who have upgraded to latest and best encryption will be affected most. Furthermore OpenSSL is very popular in client software and somewhat popular in networked appliances which have most inertia in getting updates.
http://heartbleed.com/
...
All users are urged to upgrade their openssl packages (especially libssl1.0.0) and restart applications as soon as possible.

According to the currently available information, private keys should be considered as compromised and regenerated as soon as possible. More details will be communicated at a later time.

The oldstable distribution (squeeze) is not affected by this vulnerability.

For the stable distribution (wheezy), this problem has been fixed in version 1.0.1e-2+deb7u5.

For the testing distribution (jessie), this problem has been fixed in version 1.0.1g-1.

For the unstable distribution (sid), this problem has been fixed in version 1.0.1g-1.

We recommend that you upgrade your openssl packages.
https://www.debian.org/security/2014/dsa-2896

This time not even OpenBSD spared. Anyone know how Plan 9 is coming along? :(
The Forum's search box is terrible. Use site specific search, e.g.
https://www.google.com/search?q=site%3A ... terms+here

ura_soul
Posts: 31
Joined: 2014-02-01 06:06

Re: OpenSSL's 'Heartbleed' critical vulnerability

#2 Post by ura_soul »

yes, the new version of openssl needs to be pushed out to all distributions asap.

User avatar
stkris
Posts: 244
Joined: 2007-03-16 18:55
Location: Crying over Walt

Re: OpenSSL's 'Heartbleed' critical vulnerability

#3 Post by stkris »

Updated my server running wheezy (stable). Got openssl 1.0.1e-2+deb7u6 which is OK.

Updated my laptop running jessie (testing). Got openssl 1.0.1f-1 which is NOT ok. But 1.0.1g-1 is in testing so it is hopefully in testing soon.
Two servers running Wheezy and Squeeze, two laptops (T61,G530) running Jessie and Squeeze.

ura_soul
Posts: 31
Joined: 2014-02-01 06:06

Re: OpenSSL's 'Heartbleed' critical vulnerability

#4 Post by ura_soul »

hmm. i ran apt-get update and apt-get upgrade..
and even apt-get dist-upgrade (i did this since i noticed client/header version mismatch errors in the logs).

after upgrading php to 5.6 and some other packages .. apparently including openssl..
openssl is still at version 1.0.1e here..

any idea why i haven't received the updated version of openssl? did i switch to testing by accident!?
the sources all point to wheezy, from what i am seeing..

thanks

confuseling
Posts: 2121
Joined: 2009-10-21 01:03

Re: OpenSSL's 'Heartbleed' critical vulnerability

#5 Post by confuseling »

Code: Select all

apt-cache policy libssl1.0.0
should tell you.
The Forum's search box is terrible. Use site specific search, e.g.
https://www.google.com/search?q=site%3A ... terms+here

ura_soul
Posts: 31
Joined: 2014-02-01 06:06

Re: OpenSSL's 'Heartbleed' critical vulnerability

#6 Post by ura_soul »

confuseling wrote:

Code: Select all

apt-cache policy libssl1.0.0
should tell you.
oh ok, thanks - the standard openssl version - doesn't reveal the full version code.

User avatar
korilius
Posts: 422
Joined: 2012-04-10 00:53
Location: US/IN
Has thanked: 3 times

Re: OpenSSL's 'Heartbleed' critical vulnerability

#7 Post by korilius »

It's been suggested that Perfect Forward Secrecy be enabled as a good measure in response to this. Once I figure out how to do it, I might put together a thread about it.

User avatar
stkris
Posts: 244
Joined: 2007-03-16 18:55
Location: Crying over Walt

Re: OpenSSL's 'Heartbleed' critical vulnerability

#8 Post by stkris »

stkris wrote: Updated my laptop running jessie (testing). Got openssl 1.0.1f-1 which is NOT ok. But 1.0.1g-1 is in testing so it is hopefully in testing soon.
And now it came. Installed: 1.0.1g-1

Well done, Debian Devs!

More details here: https://security-tracker.debian.org/tra ... -2014-0160
Two servers running Wheezy and Squeeze, two laptops (T61,G530) running Jessie and Squeeze.

ura_soul
Posts: 31
Joined: 2014-02-01 06:06

Re: OpenSSL's 'Heartbleed' critical vulnerability

#9 Post by ura_soul »

as far as i comprehend forward secrecy, that would only be an improvement in relation to this security flaw, in that previous communications sent to/from the compromised server would not be unencryptable as a result of accessing the encryption key data at the time of the hack.
forward secrecy would not prevent the hack from happening, nor prevent malware from being inserted to permanently compromise the server (until the malware is removed).

User avatar
korilius
Posts: 422
Joined: 2012-04-10 00:53
Location: US/IN
Has thanked: 3 times

Re: OpenSSL's 'Heartbleed' critical vulnerability

#10 Post by korilius »

Having perfect forward secrecy is still strongly recommended.

User avatar
korilius
Posts: 422
Joined: 2012-04-10 00:53
Location: US/IN
Has thanked: 3 times

Re: OpenSSL's 'Heartbleed' critical vulnerability

#11 Post by korilius »

confuseling wrote:

Code: Select all

apt-cache policy libssl1.0.0
should tell you.
+1 on this post.


BowCatShot
Posts: 959
Joined: 2006-07-15 12:08

Re: OpenSSL's 'Heartbleed' critical vulnerability

#13 Post by BowCatShot »

Now here's an interesting article about all of this:

http://www.bloomberg.com/news/2014-04-1 ... umers.html

User avatar
Hallvor
Global Moderator
Global Moderator
Posts: 2029
Joined: 2009-04-16 18:35
Location: Kristiansand, Norway
Has thanked: 139 times
Been thanked: 206 times

Re: OpenSSL's 'Heartbleed' critical vulnerability

#14 Post by Hallvor »

BowCatShot wrote:Now here's an interesting article about all of this:

http://www.bloomberg.com/news/2014-04-1 ... umers.html
"...two people familiar with the matter said"

I'm not saying it's wrong, but I'd like better sources. After Snowden, it is hard not to believe everything bad being told about the NSA. In such a climate, one must be very critical, because lies are bound to occur.

Secondly, I assume such a discovery would lead to patching of at least critical infrastructure - if not, it would backfire on the NSA later on. No patch = no knowledge.
[HowTo] Install and configure Debian bookworm
Debian 12 | KDE Plasma | ThinkPad T440s | 4 × Intel® Core™ i7-4600U CPU @ 2.10GHz | 12 GiB RAM | Mesa Intel® HD Graphics 4400 | 1 TB SSD

goulo
Posts: 47
Joined: 2012-01-19 09:52

Re: OpenSSL's 'Heartbleed' critical vulnerability

#15 Post by goulo »

BTW xkcd did a nice comic which illustrates quite clearly & simply how the bug works:

https://xkcd.com/1354/


confuseling
Posts: 2121
Joined: 2009-10-21 01:03

Re: OpenSSL's 'Heartbleed' critical vulnerability

#17 Post by confuseling »

LibreSSL (OpenBSD's fork) is 30 days old.

https://www.youtube.com/watch?v=GnBbhXB ... e=youtu.be

http://opensslrampage.org/

Not portable yet though. Some discussion of relevance to Debian here:

https://lists.debian.org/debian-devel/2 ... 00539.html
The Forum's search box is terrible. Use site specific search, e.g.
https://www.google.com/search?q=site%3A ... terms+here

Post Reply