Solved

heartbeat openssl fix fedora 16

Posted on 2014-04-09
5
740 Views
Last Modified: 2014-04-09
I am in the process of patching two redhat servers. They are only used for mail no hosted websites, but we are using SSL for mail.

One of the servers is an older version of redhat (Redhat version 16)

Linux version 3.1.0-7.fc16.x86_64 (mockbuild@x86-07.phx2.fedoraproject.org)
(gcc version 4.6.2 20111027 (Red Hat 4.6.2-1) (GCC) )

If I do a yum update openssl it will return that it is pulling
1.0.0j-1.fc16 not the most current patched version

The current version on the server.
OpenSSL 1.0.0e-fips 6 Sep 2011

From what I have been reading openssl versions under the 1.0.0 branch are not affected.
http://heartbleed.com/


With that said is there any way I can test this on the server. From what I am reading this vulnerability does not affect this server due to the version of openssl but I want to be sure.
0
Comment
Question by:binovpd
  • 2
  • 2
5 Comments
 
LVL 21

Accepted Solution

by:
Mazdajai earned 250 total points
ID: 39989493
The version you are on is not affected -

https://www.openssl.org/news/secadv_20140407.txt

TLS heartbeat read overrun (CVE-2014-0160)
==========================================

A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.
0
 
LVL 18

Assisted Solution

by:TobiasHolm
TobiasHolm earned 250 total points
ID: 39989495
Yes, you can test online here: http://filippo.io/Heartbleed/

And here's a little program for testing: https://gist.github.com/sh1n0b1/10100394#file-ssltest-py

Happy patching ;)

Regards, Tobias
0
 

Author Closing Comment

by:binovpd
ID: 39989557
Thanks guys. What is your opinion regarding fedora 16. Should I update to the latest version and can that be done through a yum update? This was setup by someone else a long time ago.
0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39989570
Which 'latest' version?

Update is fine, I recommend leave openssl alone until the bug is fixed, consider you are not unaffected.
0
 

Author Comment

by:binovpd
ID: 39989593
"Which 'latest' version?"

Mazdajai I was noticing current versions of fedora are 19 and 20. All the openssl patch info seems related to those version.  I was a bit concerned we are falling far behind on the version of fedora, but as you said I think I'll just leave it alone for now.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question