About Me

这是一个有关Linux视频教程的部落格。我将在此与大家分享经验与所学。请多多赐教。 This is mainly a Video Tutorial Blog about Linux. I am here to share my learnings and experiences. May I invite you to join me in this Quest. It all started with Linux Mint 11 and my move from the dark-side to freedom. Also a move to share experiences, knowledge and community spirit. I started to share my new found knowledge and experience in various different forums - Linux Mint Community, TomatoUSB and places I chance upon when googling. As my journey and voyages become more disperse and frequent, I decided its time for a place and certain ways to tie things together. Thus, the birth of my blog "Guruwannabe" - my user-name at Linux Mint Community, the first place that I became serious about my cyber-presence. Bob Wong (黄昌文)

Monday 21 April 2014

Heart Bleed for Heat Beat


Overview:  The Heartbleed Bug is a serious vulnerability that allows outside attackers to steal sensitive information on an otherwise believed to be secured connections for example: https (ie: http over ssl/tls), secure email and VPN. All done without leaving a trace.
For more details:  http://heartbleed.com/
Visit me at:  http://community.linuxmint.com/tutorial/view/1628

Heart Bleed Bug

    • What ain't Broken?

    • What is Broken?

    • What is fixed?



What was Not Broken by Heart Bleed?

    • Major Components

      • SSL
      • SSH
      • Heart Beat
    • OpenSSL before 1.0.1

    • Non OpenSSH/OpenSSL implementations



What is Broken?

    • OpenSSH/OpenSSL Heart Beat implementation

      • 1.0.1 Branch
      • 1.0.2-beta Testing Branch
    • Yep, it's an Implementation error



What is fixed?

    • OpenSSL v1.0.1g

      OpenSSL v1.0.2-beta2

    • Distropatch by each distro

      • Built on/after 7apr2014
      • These not necessary be 1.0.1g
    • How to check?

      • openssl version -a
      • Look for build date


Some more Checking?

    • Launch Package Manager

      • Eg: Mint Synatic Package Manger
    • Search/Filter for “ssl” installed

      • Eg: libssl1.0.0, openssl
    • Select libssl1.0.0 and [Get Changelog]

      • Look for CVE-2014-0160 fix
    • CLI - Mint13

      • apt-get changelog openssl
      • apt-get changelog libssl1.0.0 

What to look for :?

  • CVE-2014-0160  fix

  • 1.01-4ubuntu5.12 for Mint13


Anything Else?

    • Yes, Google for the rest :)

      • This is meant As a Simple Guide
    • After Patch, Look for??

      • Generate New Certificates
      • Revoke Old Certificates
      • Get all End users to Change Passwords
      • Other Details
        • Check with your Service Provider eg: Online Mail, Ruby Rail etc...
    • Remember not all OpenSSH/OpenSSL is affected!

20140421

10 comments:

  1. Awesome post. Woderful content. I am regularly follow this blog. Thank you for updating such a good content. Amazon Web Services Training in Chennai

    ReplyDelete
  2. Learn what a VPN is and how you can download the best VPN software for free! Use NordVPN on any device or OS: Windows, macOS, Android, iOS, and more. Nordvpn Full Español

    ReplyDelete
  3. Microsoft Office 2022 with the latest crack gives you full activated features to use the Office Full version on Mac and Windows devices. Activate Office 2010 Crack

    ReplyDelete
  4. Looking for funny birthday wishes for younger sister, look no further. Greetings, jokes, wishes, we have all the best,cute,beautiful and sweet words Birthday Sister Funny

    ReplyDelete