About Me

这是一个有关Linux视频教程的部落格。我将在此与大家分享经验与所学。请多多赐教。 This is mainly a Video Tutorial Blog about Linux. I am here to share my learnings and experiences. May I invite you to join me in this Quest. It all started with Linux Mint 11 and my move from the dark-side to freedom. Also a move to share experiences, knowledge and community spirit. I started to share my new found knowledge and experience in various different forums - Linux Mint Community, TomatoUSB and places I chance upon when googling. As my journey and voyages become more disperse and frequent, I decided its time for a place and certain ways to tie things together. Thus, the birth of my blog "Guruwannabe" - my user-name at Linux Mint Community, the first place that I became serious about my cyber-presence. Bob Wong (黄昌文)

Monday, 21 April 2014

Heart Bleed for Heat Beat


Overview:  The Heartbleed Bug is a serious vulnerability that allows outside attackers to steal sensitive information on an otherwise believed to be secured connections for example: https (ie: http over ssl/tls), secure email and VPN. All done without leaving a trace.
For more details:  http://heartbleed.com/
Visit me at:  http://community.linuxmint.com/tutorial/view/1628

Heart Bleed Bug

    • What ain't Broken?

    • What is Broken?

    • What is fixed?



What was Not Broken by Heart Bleed?

    • Major Components

      • SSL
      • SSH
      • Heart Beat

    • OpenSSL before 1.0.1

    • Non OpenSSH/OpenSSL implementations



What is Broken?

    • OpenSSH/OpenSSL Heart Beat implementation

      • 1.0.1 Branch
      • 1.0.2-beta Testing Branch

    • Yep, it's an Implementation error



What is fixed?

    • OpenSSL v1.0.1g

      OpenSSL v1.0.2-beta2

    • Distropatch by each distro

      • Built on/after 7apr2014
      • These not necessary be 1.0.1g

    • How to check?

      • openssl version -a
      • Look for build date


Some more Checking?

    • Launch Package Manager

      • Eg: Mint Synatic Package Manger

    • Search/Filter for “ssl” installed

      • Eg: libssl1.0.0, openssl

    • Select libssl1.0.0 and [Get Changelog]

      • Look for CVE-2014-0160 fix

    • CLI - Mint13

      • apt-get changelog openssl
      • apt-get changelog libssl1.0.0 

What to look for :?

  • CVE-2014-0160  fix

  • 1.01-4ubuntu5.12 for Mint13


Anything Else?

    • Yes, Google for the rest :)

      • This is meant As a Simple Guide

    • After Patch, Look for??

      • Generate New Certificates
      • Revoke Old Certificates
      • Get all End users to Change Passwords
      • Other Details
        • Check with your Service Provider eg: Online Mail, Ruby Rail etc...

    • Remember not all OpenSSH/OpenSSL is affected!

20140421

Posted by at
Labels: , , , , , , , ,

2 comments:

Subscribe to: Post Comments (Atom)