RE: [Nolug] SSL bug

From: John Souvestre <>
Date: Tue, 8 Apr 2014 11:01:36 -0500
Message-ID: <064901cf5343$d2dce580$7896b080$>

Hi Joey.


Also ...

Version check:
      Shell: openssl version -a
            But: Many distributions repackage it and use their own version
      Test site:


    John Souvestre - New Orleans LA

-----Original Message-----
From: []
On Behalf Of Joey Kelly
Sent: Tue, April 08, 2014 10:53 am
To: undisclosed-recipients:
Subject: [Nolug] SSL bug


The guy that wrote the above needs to work on his english a little, but what's
described is bad. Very bad. If either end of an ssh or SSL connection (this
includes VPNs, IPsec, Puppet, secure websites, and other stuff) runs
vulnerable code (the site lists the versions in question), your stuff can be
owned. Log into your bank? An attacker can follow right after you and steal
all your money --- that bad.

If you run Debian 7 or CentOS 6, you are vulnerable. Versions prior are safe
(I have no idea which versions of Ubuntu are based on which versions of
Debian, so if you run that, find out ASAP).

Change all your SSL certs. Regenerate your ssh keys. Once that's done, change
any password (ssh, web login, you name it) that was used on a vulnerable
server. There is no telling if the bad guys knew about this before the bugs
were found, and no way of knowing if your stuff was accessed or not.

This is a Big Deal.

Joey Kelly
Minister of the Gospel and Linux Consultant
Nolug mailing list

Nolug mailing list

Received on 04/08/14

This archive was generated by hypermail 2.2.0 : 04/08/14 EDT