Solved

heartbeat openssl fix fedora 16

Posted on 2014-04-09
5
759 Views
Last Modified: 2014-04-09
I am in the process of patching two redhat servers. They are only used for mail no hosted websites, but we are using SSL for mail.

One of the servers is an older version of redhat (Redhat version 16)

Linux version 3.1.0-7.fc16.x86_64 (mockbuild@x86-07.phx2.fedoraproject.org)
(gcc version 4.6.2 20111027 (Red Hat 4.6.2-1) (GCC) )

If I do a yum update openssl it will return that it is pulling
1.0.0j-1.fc16 not the most current patched version

The current version on the server.
OpenSSL 1.0.0e-fips 6 Sep 2011

From what I have been reading openssl versions under the 1.0.0 branch are not affected.
http://heartbleed.com/


With that said is there any way I can test this on the server. From what I am reading this vulnerability does not affect this server due to the version of openssl but I want to be sure.
0
Comment
Question by:binovpd
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 21

Accepted Solution

by:
Mazdajai earned 250 total points
ID: 39989493
The version you are on is not affected -

https://www.openssl.org/news/secadv_20140407.txt

TLS heartbeat read overrun (CVE-2014-0160)
==========================================

A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.
0
 
LVL 18

Assisted Solution

by:TobiasHolm
TobiasHolm earned 250 total points
ID: 39989495
Yes, you can test online here: http://filippo.io/Heartbleed/

And here's a little program for testing: https://gist.github.com/sh1n0b1/10100394#file-ssltest-py

Happy patching ;)

Regards, Tobias
0
 

Author Closing Comment

by:binovpd
ID: 39989557
Thanks guys. What is your opinion regarding fedora 16. Should I update to the latest version and can that be done through a yum update? This was setup by someone else a long time ago.
0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39989570
Which 'latest' version?

Update is fine, I recommend leave openssl alone until the bug is fixed, consider you are not unaffected.
0
 

Author Comment

by:binovpd
ID: 39989593
"Which 'latest' version?"

Mazdajai I was noticing current versions of fedora are 19 and 20. All the openssl patch info seems related to those version.  I was a bit concerned we are falling far behind on the version of fedora, but as you said I think I'll just leave it alone for now.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Fine Tune your automatic Updates for Ubuntu / Debian
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question