[QUOTE=nikomo;44481704]OpenSSL vulnerability in the wild that an attacker can use to read your private keys - if you have any servers etc., go update them now, not in the next hour, not in 15 minutes, [B][U]now[/U][/B].
[url]http://heartbleed.com/[/url][/QUOTE]
Cheers!
[QUOTE=nikomo;44482424]brb stealing your private keys
... Who do you work for, again?[/QUOTE]
I've never told you, and now I never will.
Besides, the things I'd be most concerned about are already protected by firewalls - meaning, unless your IP is on the whitelist, you can't even get a ping, and it's non-standard ports running custom(ish) protocols. But if those do get hacked somehow, you could probably do a couple mil in damage (we'd have logs to show exactly what you did and who you were, but you'd be able to do it).
The other stuff - websites and junk - are either not that important, or Somebody Else's Problem.
BlackMagicDesign released a new $6000 camera and there's a typo on the first page of it's website
[IMG]http://i.imgur.com/DNrG3iC.png[/IMG]
[IMG]http://i.imgur.com/mrospN6.png[/IMG]
well done
[URL="http://www.blackmagicdesign.com/products/blackmagicursa"]http://www.blackmagicdesign.com/products/blackmagicursa[/URL]
[QUOTE=meppers;44482911]BlackMagicDesign released a new $6000 camera and there's a typo on the first page of it's website
[IMG]http://i.imgur.com/DNrG3iC.png[/IMG]
[IMG]http://i.imgur.com/mrospN6.png[/IMG]
well done
[URL="http://www.blackmagicdesign.com/products/blackmagicursa"]http://www.blackmagicdesign.com/products/blackmagicursa[/URL][/QUOTE]
Doesn't matter so much. The camera is insanely competitive. Black Magic knows how to play hard.
Cloudflare really showed their worth with this OpenSSL thing, they've been patched for about a week now and automatically protect your servers if you're using them in the middle of the connection.
Doesn't help if clients can directly connect to your server, but meh.
[QUOTE=meppers;44482911]BlackMagicDesign released a new $6000 camera and there's a typo on the first page of it's website
[IMG]http://i.imgur.com/DNrG3iC.png[/IMG]
[IMG]http://i.imgur.com/mrospN6.png[/IMG]
well done
[URL="http://www.blackmagicdesign.com/products/blackmagicursa"]http://www.blackmagicdesign.com/products/blackmagicursa[/URL][/QUOTE]
That 10 inch screen better be detachable.
You have to restart all services that use OpenSSL after updating it.
I went through and looked at all the programs using OpenSSL on my server, went "fuck it" and just rebooted the damn thing.
[QUOTE=nikomo;44481704]OpenSSL vulnerability in the wild that an attacker can use to read your private keys - if you have any servers etc., go update them now, not in the next hour, not in 15 minutes, [B][U]now[/U][/B].
[url]http://heartbleed.com/[/url][/QUOTE]
Updated my server, but it wouldn't really matter considering I don't run a site on this.
Thanks though.
Gentoo bumped to 1.0.1g yesterday, which was also when I ran my world updates.
I'm OK.
[code]OpenSSL> version
OpenSSL 1.0.1e 11 Feb 2013
[/code]
uh so am i in the clear now?
[QUOTE=Giraffen93;44483644][code]OpenSSL> version
OpenSSL 1.0.1e 11 Feb 2013
[/code]
uh so am i in the clear now?[/QUOTE]
Nope. You need 1.0.1g to be safe.
[QUOTE=gman003-main;44483655]Nope. You need 1.0.1g to be safe.[/QUOTE]
do i need some sort of unstable branch for that? i updated like half an hour ago
right now the repo is overloaded :v:
[QUOTE=Giraffen93;44483666]do i need some sort of unstable branch for that? i updated like half an hour ago
right now the repo is overloaded :v:[/QUOTE]
[url]https://www.openssl.org/source/openssl-1.0.1g.tar.gz[/url]
[QUOTE=wingless;44483673][url]https://www.openssl.org/source/openssl-1.0.1g.tar.gz[/url][/QUOTE]
dude i don't know anything about linux or compiling
You need to be either:
1.0.0 or older
1.0.1g
1.0.1-1.0.1f with -DOPENSSL_NO_HEARTBEATS compile flag
Gentoo has 1.0.1g in world apparently now
Arch Linux has 1.0.1g in testing, or you can download the ABS for the openssl package and compile it with the flag, if you want to stay at the "stable" version
Debian Wheezy is secure on package version 1.0.1e-2+deb7u5 (run apt-get update && apt-get dist-upgrade to make sure you're up-to-date, check apt-cache show openssl after update)
[url]https://access.redhat.com/security/cve/CVE-2014-0160[/url]
This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6.4 and earlier. This issue does affect Red Hat Enterprise Linux 6.5, which provided openssl 1.0.1e.
[url]http://www.ubuntu.com/usn/usn-2165-1/[/url]
A security issue affects these releases of Ubuntu and its derivatives:
Ubuntu 13.10
Ubuntu 12.10
Ubuntu 12.04 LTS
Update instructions
The problem can be corrected by updating your system to the following package version:
Ubuntu 13.10:
libssl1.0.0 1.0.1e-3ubuntu1.2
Ubuntu 12.10:
libssl1.0.0 1.0.1c-3ubuntu2.7
Ubuntu 12.04 LTS:
libssl1.0.0 1.0.1-4ubuntu5.12
[url]https://security-tracker.debian.org/tracker/CVE-2014-0160[/url]
squeeze (security) 0.9.8o-4squeeze14 fixed
wheezy 1.0.1e-2+deb7u4 vulnerable
wheezy (security) 1.0.1e-2+deb7u5 fixed
jessie, sid 1.0.1f-1 vulnerable
[QUOTE=nikomo;44483720]
Gentoo has 1.0.1g in world apparently now
Arch Linux has 1.0.1g in testing, or you can download the ABS for the openssl package and compile it with the flag, if you want to stay at the "stable" version
Debian Wheezy is secure on package version 1.0.1e-2+deb7u5 (run apt-get update && apt-get dist-upgrade to make sure you're up-to-date, check apt-cache show openssl after update)
[/QUOTE]
updated the repo
run apt-get upgrade and apt-get dist-upgrade
still on version 1.0.1e-2+deb7u4
[QUOTE=Giraffen93;44483740]updated the repo
run apt-get upgrade and apt-get dist-upgrade
still on version 1.0.1e-2+deb7u4[/QUOTE]
Your repo mirrors probably haven't pulled new packages yet.
Add these to /etc/apt/sources.list
[code]
deb http://cdn.debian.net/debian/ wheezy main
deb-src http://cdn.debian.net/debian/ wheezy main
deb http://security.debian.org/ wheezy/updates main
deb-src http://security.debian.org/ wheezy/updates main
[/code]
And run apt-get update && apt-get dist-upgrade
It's a security update, so if you're missing security.debian.org from your sources, you won't get the updated package.
[QUOTE=nikomo;44483761]Your repo mirrors probably haven't pulled new packages yet.
Add these to /etc/apt/sources.list
[code]
deb http://cdn.debian.net/debian/ wheezy main
deb-src http://cdn.debian.net/debian/ wheezy main
deb http://security.debian.org/ wheezy/updates main
deb-src http://security.debian.org/ wheezy/updates main
[/code]
And run apt-get update && apt-get dist-upgrade
It's a security update, so if you're missing security.debian.org from your sources, you won't get the updated package.[/QUOTE]
[code]
deb http://ftp.acc.umu.se/debian/ wheezy main non-free contrib
deb-src http://ftp.acc.umu.se/debian/ wheezy main non-free contrib
deb http://security.debian.org/ wheezy/updates main contrib non-free
deb-src http://security.debian.org/ wheezy/updates main contrib non-free
# wheezy-updates, previously known as 'volatile'
deb http://ftp.acc.umu.se/debian/ wheezy-updates main contrib non-free
deb-src http://ftp.acc.umu.se/debian/ wheezy-updates main contrib non-free
[/code]
i've never even touched this
should i just replace them?
My servers still use Ubuntu Server 13.04 and 12.04.1. The latest ones for each are still not even close to 1.0.1g. balls. Might have to get around to doing a release upgrade...
[QUOTE=Giraffen93;44483793][code]
deb http://ftp.acc.umu.se/debian/ wheezy main non-free contrib
deb-src http://ftp.acc.umu.se/debian/ wheezy main non-free contrib
deb http://security.debian.org/ wheezy/updates main contrib non-free
deb-src http://security.debian.org/ wheezy/updates main contrib non-free
# wheezy-updates, previously known as 'volatile'
deb http://ftp.acc.umu.se/debian/ wheezy-updates main contrib non-free
deb-src http://ftp.acc.umu.se/debian/ wheezy-updates main contrib non-free
[/code]
i've never even touched this
should i just replace them?[/QUOTE]
You can add them, don't add the security.debian.org lines though, no point having them there twice.
Weird, I thought the packages would come from the security repos, they must be coming from the normal ones then.
APT pulls the packages from whatever source has the latest ones, so there's no real point in removing the mirrors you already have on the list.
[editline]8th April 2014[/editline]
[QUOTE=benjgvps;44483800]My servers still use Ubuntu Server 13.04 and 12.04.1. The latest ones for each are still not even close to 1.0.1g. balls. Might have to get around to doing a release upgrade...[/QUOTE]
You don't need to be at 1.0.1g to be safe.
Ubuntu 13.10: libssl1.0.0 1.0.1e-3ubuntu1.2
Ubuntu 12.04 LTS: libssl1.0.0 1.0.1-4ubuntu5.12
doesn't help :tinfoil:
just noticed your post back there though, do i have to restart the server?
even if apt-get shows the old one?
You have to either restart all services using OpenSSL, or reboot the server, after upgrade.
If you reboot before upgrade, you're just wasting time.
Try adding this to sources.list
deb [url]http://security.debian.org/debian-security[/url] wheezy/updates main
Then apt-get update && apt-get dist-upgrade
If still nothing:
curl --remote-name [url]http://security.debian.org/debian-security/pool/updates/main/o/openssl/openssl_1.0.1e-2+deb7u5_amd64.deb[/url]
dpkg -i openssl_1.0.1e-2+deb7u5_amd64.deb
reboot
Don't bother trying to manually restart services, even if it's a base install, that's still a duckhunt.
[editline]8th April 2014[/editline]
There's an online tool to checking if a server on a domain is vulnerable
[url]http://filippo.io/Heartbleed/[/url]
It's getting hammered right now, the guy is sorting out better hosting for the site.
[url]http://pastebin.com/U15GEUte[/url]
i just noticed i got two when i runt apt-cache show openssl
maybe i got the new one? shouldnt running version inside openssl change something?
You probably already have the latest version installed, since your APT cache contains the patched version, it's the latest, and you don't get any new packages when you try to upgrade.
Running openssl version won't print out a package version, it only prints out the version of the software.
Reboot your server and you're done.
openssl version -a outputs
[code]braxen@megabrax:~$ openssl version -a
OpenSSL 1.0.1e 11 Feb 2013
built on: Mon Apr 7 20:32:27 UTC 2014[/code]
seems to be okay then, rebooted too
thanks
[QUOTE=Giraffen93;44484122]openssl version -a outputs
[code]braxen@megabrax:~$ openssl version -a
OpenSSL 1.0.1e 11 Feb 2013
built on: Mon Apr 7 20:32:27 UTC 2014[/code]
seems to be okay then, rebooted too[/QUOTE]
Yup that's patched.
Now to laugh at everyone that hasn't finished patching.
i ran my old installation of ubuntu server for 4 years without updating it once, at almost the end of its lifespan i had to upgrade from 10 and download gigs of packages :v:
i doubt anyone want to attack me
In a world where [url="https://github.com/robertdavidgraham/masscan"]masscan[/url] exists, the question "who would want to attack me" is irrelevant - if it's on the public Internet, it will be attacked.
Use masscan to map out all hosts that respond on 443 and then attack against those.
[url]https://braxnet.org/ass.php[/url]
yeah there are actually quite a few people who tries to log in to my server
[QUOTE=Giraffen93;44484243][url]https://braxnet.org/ass.php[/url]
yeah there are actually quite a few people who tries to log in to my server[/QUOTE]
oh my god that page is great
Sorry, you need to Log In to post a reply to this thread.
