Solved

heartbeat openssl fix fedora 16

Posted on 2014-04-09
5
735 Views
Last Modified: 2014-04-09
I am in the process of patching two redhat servers. They are only used for mail no hosted websites, but we are using SSL for mail.

One of the servers is an older version of redhat (Redhat version 16)

Linux version 3.1.0-7.fc16.x86_64 (mockbuild@x86-07.phx2.fedoraproject.org)
(gcc version 4.6.2 20111027 (Red Hat 4.6.2-1) (GCC) )

If I do a yum update openssl it will return that it is pulling
1.0.0j-1.fc16 not the most current patched version

The current version on the server.
OpenSSL 1.0.0e-fips 6 Sep 2011

From what I have been reading openssl versions under the 1.0.0 branch are not affected.
http://heartbleed.com/


With that said is there any way I can test this on the server. From what I am reading this vulnerability does not affect this server due to the version of openssl but I want to be sure.
0
Comment
Question by:binovpd
  • 2
  • 2
5 Comments
 
LVL 21

Accepted Solution

by:
Mazdajai earned 250 total points
ID: 39989493
The version you are on is not affected -

https://www.openssl.org/news/secadv_20140407.txt

TLS heartbeat read overrun (CVE-2014-0160)
==========================================

A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.
0
 
LVL 18

Assisted Solution

by:TobiasHolm
TobiasHolm earned 250 total points
ID: 39989495
Yes, you can test online here: http://filippo.io/Heartbleed/

And here's a little program for testing: https://gist.github.com/sh1n0b1/10100394#file-ssltest-py

Happy patching ;)

Regards, Tobias
0
 

Author Closing Comment

by:binovpd
ID: 39989557
Thanks guys. What is your opinion regarding fedora 16. Should I update to the latest version and can that be done through a yum update? This was setup by someone else a long time ago.
0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39989570
Which 'latest' version?

Update is fine, I recommend leave openssl alone until the bug is fixed, consider you are not unaffected.
0
 

Author Comment

by:binovpd
ID: 39989593
"Which 'latest' version?"

Mazdajai I was noticing current versions of fedora are 19 and 20. All the openssl patch info seems related to those version.  I was a bit concerned we are falling far behind on the version of fedora, but as you said I think I'll just leave it alone for now.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Read about achieving the basic levels of HRIS security in the workplace.
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question