About Me

这是一个有关Linux视频教程的部落格。我将在此与大家分享经验与所学。请多多赐教。 This is mainly a Video Tutorial Blog about Linux. I am here to share my learnings and experiences. May I invite you to join me in this Quest. It all started with Linux Mint 11 and my move from the dark-side to freedom. Also a move to share experiences, knowledge and community spirit. I started to share my new found knowledge and experience in various different forums - Linux Mint Community, TomatoUSB and places I chance upon when googling. As my journey and voyages become more disperse and frequent, I decided its time for a place and certain ways to tie things together. Thus, the birth of my blog "Guruwannabe" - my user-name at Linux Mint Community, the first place that I became serious about my cyber-presence. Bob Wong (黄昌文)

Monday, 21 April 2014

Heart Bleed for Heat Beat


Overview:  The Heartbleed Bug is a serious vulnerability that allows outside attackers to steal sensitive information on an otherwise believed to be secured connections for example: https (ie: http over ssl/tls), secure email and VPN. All done without leaving a trace.
For more details:  http://heartbleed.com/
Visit me at:  http://community.linuxmint.com/tutorial/view/1628

Heart Bleed Bug

    • What ain't Broken?

    • What is Broken?

    • What is fixed?



What was Not Broken by Heart Bleed?

    • Major Components

      • SSL
      • SSH
      • Heart Beat
    • OpenSSL before 1.0.1

    • Non OpenSSH/OpenSSL implementations



What is Broken?

    • OpenSSH/OpenSSL Heart Beat implementation

      • 1.0.1 Branch
      • 1.0.2-beta Testing Branch
    • Yep, it's an Implementation error



What is fixed?

    • OpenSSL v1.0.1g

      OpenSSL v1.0.2-beta2

    • Distropatch by each distro

      • Built on/after 7apr2014
      • These not necessary be 1.0.1g
    • How to check?

      • openssl version -a
      • Look for build date


Some more Checking?

    • Launch Package Manager

      • Eg: Mint Synatic Package Manger
    • Search/Filter for “ssl” installed

      • Eg: libssl1.0.0, openssl
    • Select libssl1.0.0 and [Get Changelog]

      • Look for CVE-2014-0160 fix
    • CLI - Mint13

      • apt-get changelog openssl
      • apt-get changelog libssl1.0.0 

What to look for :?

  • CVE-2014-0160  fix

  • 1.01-4ubuntu5.12 for Mint13


Anything Else?

    • Yes, Google for the rest :)

      • This is meant As a Simple Guide
    • After Patch, Look for??

      • Generate New Certificates
      • Revoke Old Certificates
      • Get all End users to Change Passwords
      • Other Details
        • Check with your Service Provider eg: Online Mail, Ruby Rail etc...
    • Remember not all OpenSSH/OpenSSL is affected!

20140421

10 comments:

  1. Replies
    1. The effectiveness of IEEE Project Domains depends very much on the situation in which they are applied. In order to further improve IEEE Final Year Project Domains practices we need to explicitly describe and utilise our knowledge about software domains of software engineering Final Year Project Domains for CSE technologies. This paper suggests a modelling formalism for supporting systematic reuse of software engineering technologies during planning of software projects and improvement programmes in Final Year Projects for CSE.

      Software management seeks for decision support to identify technologies like JavaScript that meet best the goals and characteristics of a software project or improvement programme. JavaScript Training in Chennai Accessible experiences and repositories that effectively guide that technology selection are still lacking.

      Aim of technology domain analysis is to describe the class of context situations (e.g., kinds of JavaScript software projects) in which a software engineering technology JavaScript Training in Chennai can be applied successfully

      The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training

      Delete