SCIENTIFIC-LINUX-USERS Archives

April 2014

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
heartbleed and openssl update
From:
William Lutter <[log in to unmask]>
Reply To:
[log in to unmask]
Date:
Thu, 10 Apr 2014 11:05:56 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (31 lines) 
I see this link relative to openssl and heartbleed exploit...

https://www.openssl.org/news/secadv_20140407.txt

A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server. Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS. 1.0.2 will be fixed in 1.0.2-beta2.

My SL 6.5 lists
openssl-1.0.1e-16.el6_5.7.x86_64
openssl098e-0.9.8e-17.el6_2.2.x86_64
openssl-devel-1.0.1e-16.el6_5.7.x86_64

so, it is a vulnerable version of openssl.

Question 1
I enabled fastbugs in sl-other.repo and well as usual enables in sl.repo, however, do not see an update for openssl.

Will there be one forthcoming from SL or have I missed the proper repository to get it? 
I have no server on this PC, so I am not worried yet.

Question 2
I surmise that older versions of openssl on older SLs are not impacted
such as
openssl-0.9.8e-26.el5_9.1.i686

Bill Lutter

ATOM RSS1 RSS2