Hi Joey.
Right!
Also ...
Version check:
Shell: openssl version -a
But: Many distributions repackage it and use their own version
number.
Test site: http://filippo.io/Heartbleed/
John
John Souvestre - New Orleans LA
-----Original Message-----
From: owner-nolug@stoney.kellynet.org [mailto:owner-nolug@stoney.kellynet.org]
On Behalf Of Joey Kelly
Sent: Tue, April 08, 2014 10:53 am
To: undisclosed-recipients:
Subject: [Nolug] SSL bug
Guys,
The guy that wrote the above needs to work on his english a little, but what's
described is bad. Very bad. If either end of an ssh or SSL connection (this
includes VPNs, IPsec, Puppet, secure websites, and other stuff) runs
vulnerable code (the site lists the versions in question), your stuff can be
owned. Log into your bank? An attacker can follow right after you and steal
all your money --- that bad.
If you run Debian 7 or CentOS 6, you are vulnerable. Versions prior are safe
(I have no idea which versions of Ubuntu are based on which versions of
Debian, so if you run that, find out ASAP).
Change all your SSL certs. Regenerate your ssh keys. Once that's done, change
any password (ssh, web login, you name it) that was used on a vulnerable
server. There is no telling if the bad guys knew about this before the bugs
were found, and no way of knowing if your stuff was accessed or not.
This is a Big Deal.
-- Joey Kelly Minister of the Gospel and Linux Consultant http://joeykelly.net 504-239-6550 ___________________ Nolug mailing list nolug@nolug.org
___________________
Nolug mailing list
nolug@nolug.org
This archive was generated by hypermail 2.2.0 : 04/08/14 EDT