RE: [Nolug] SSL bug

From: John Souvestre <johns_at_sstar.com>
Date: Tue, 8 Apr 2014 11:02:57 -0500
Message-ID: <064b01cf5344$0335c210$09a14630$@sstar.com>

Hi Joey.

Right!

Also ...

Version check:
      Shell: openssl version -a
            But: Many distributions repackage it and use their own version
number.
      Test site: http://filippo.io/Heartbleed/

John

    John Souvestre - New Orleans LA

-----Original Message-----
From: owner-nolug@stoney.kellynet.org [mailto:owner-nolug@stoney.kellynet.org]
On Behalf Of Joey Kelly
Sent: Tue, April 08, 2014 10:53 am
To: undisclosed-recipients:
Subject: [Nolug] SSL bug

http://heartbleed.com

Guys,

The guy that wrote the above needs to work on his english a little, but what's
described is bad. Very bad. If either end of an ssh or SSL connection (this
includes VPNs, IPsec, Puppet, secure websites, and other stuff) runs
vulnerable code (the site lists the versions in question), your stuff can be
owned. Log into your bank? An attacker can follow right after you and steal
all your money --- that bad.

If you run Debian 7 or CentOS 6, you are vulnerable. Versions prior are safe
(I have no idea which versions of Ubuntu are based on which versions of
Debian, so if you run that, find out ASAP).

Change all your SSL certs. Regenerate your ssh keys. Once that's done, change
any password (ssh, web login, you name it) that was used on a vulnerable
server. There is no telling if the bad guys knew about this before the bugs
were found, and no way of knowing if your stuff was accessed or not.

This is a Big Deal.

--
Joey Kelly
Minister of the Gospel and Linux Consultant http://joeykelly.net
504-239-6550
___________________
Nolug mailing list
nolug@nolug.org

___________________
Nolug mailing list
nolug@nolug.org

Received on 04/08/14

This archive was generated by hypermail 2.2.0 : 04/08/14 EDT