* [gentoo-user] Heartbleed - using openssl-0.9.8y and affected
@ 2014-04-28 15:17 Joseph
2014-04-28 16:02 ` Joseph
0 siblings, 1 reply; 9+ messages in thread
From: Joseph @ 2014-04-28 15:17 UTC (permalink / raw
To: gentoo-user
Which program do I upgrade to fix Heartbleed bug?
http://safeweb.norton.com/heartbleed/
is showing me my server is vulnerable.
I'm using dev-libs/openssl-0.9.8y
Why "safeweb.norton" is triggering my server vulnerable?
--
Joseph
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [gentoo-user] Heartbleed - using openssl-0.9.8y and affected
2014-04-28 15:17 [gentoo-user] Heartbleed - using openssl-0.9.8y and affected Joseph
@ 2014-04-28 16:02 ` Joseph
2014-04-28 18:13 ` Tom Wijsman
2014-04-28 23:58 ` Michael Orlitzky
0 siblings, 2 replies; 9+ messages in thread
From: Joseph @ 2014-04-28 16:02 UTC (permalink / raw
To: gentoo-user
On 04/28/14 09:17, Joseph wrote:
>Which program do I upgrade to fix Heartbleed bug?
>
>http://safeweb.norton.com/heartbleed/
>is showing me my server is vulnerable.
>I'm using dev-libs/openssl-0.9.8y
>
>Why "safeweb.norton" is triggering my server vulnerable?
I'm using apache-2.2.25
Which file contain setting for: SSLCompression
I'm trying to turn it off.
--
Joseph
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [gentoo-user] Heartbleed - using openssl-0.9.8y and affected
2014-04-28 16:02 ` Joseph
@ 2014-04-28 18:13 ` Tom Wijsman
2014-04-28 18:34 ` Joseph
2014-04-28 23:58 ` Michael Orlitzky
1 sibling, 1 reply; 9+ messages in thread
From: Tom Wijsman @ 2014-04-28 18:13 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 830 bytes --]
On Mon, 28 Apr 2014 10:02:52 -0600
Joseph <syscon780@gmail.com> wrote:
> On 04/28/14 09:17, Joseph wrote:
> >Which program do I upgrade to fix Heartbleed bug?
> >
> >http://safeweb.norton.com/heartbleed/
> >is showing me my server is vulnerable.
> >I'm using dev-libs/openssl-0.9.8y
> >
> >Why "safeweb.norton" is triggering my server vulnerable?
>
> I'm using apache-2.2.25
> Which file contain setting for: SSLCompression
> I'm trying to turn it off.
Unaffected according to:
http://www.gentoo.org/security/en/glsa/glsa-201404-07.xml
Perhaps all you need to do is restart the Apache service?
--
With kind regards,
Tom Wijsman (TomWij)
Gentoo Developer
E-mail address : TomWij@gentoo.org
GPG Public Key : 6D34E57D
GPG Fingerprint : C165 AF18 AB4C 400B C3D2 ABF0 95B2 1FCD 6D34 E57D
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 490 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [gentoo-user] Heartbleed - using openssl-0.9.8y and affected
2014-04-28 18:13 ` Tom Wijsman
@ 2014-04-28 18:34 ` Joseph
2014-04-28 18:51 ` Mike Gilbert
2014-04-28 18:54 ` Mike Gilbert
0 siblings, 2 replies; 9+ messages in thread
From: Joseph @ 2014-04-28 18:34 UTC (permalink / raw
To: gentoo-user
On 04/28/14 20:13, Tom Wijsman wrote:
>On Mon, 28 Apr 2014 10:02:52 -0600
>Joseph <syscon780@gmail.com> wrote:
>
>> On 04/28/14 09:17, Joseph wrote:
>> >Which program do I upgrade to fix Heartbleed bug?
>> >
>> >http://safeweb.norton.com/heartbleed/
>> >is showing me my server is vulnerable.
>> >I'm using dev-libs/openssl-0.9.8y
>> >
>> >Why "safeweb.norton" is triggering my server vulnerable?
>>
>> I'm using apache-2.2.25
>> Which file contain setting for: SSLCompression
>> I'm trying to turn it off.
>
>Unaffected according to:
>
> http://www.gentoo.org/security/en/glsa/glsa-201404-07.xml
>
>Perhaps all you need to do is restart the Apache service?
>
>--
>With kind regards,
>
>Tom Wijsman (TomWij)
>Gentoo Developer
>
>E-mail address : TomWij@gentoo.org
>GPG Public Key : 6D34E57D
>GPG Fingerprint : C165 AF18 AB4C 400B C3D2 ABF0 95B2 1FCD 6D34 E57D
No, I was wrong. I had both version istalled: 0.9.8y and 1.0.1f
and the one that was in use was buggy one: 1.0.1f
I recompile 1.0.1f without tls-heartbeat and the problem is solved.
dev-libs/openssl
Available versions:
(0.9.8) 0.9.8y
(0) 1.0.0j 1.0.1f
{bindist gmp kerberos rfc3779 sse2 static-libs test +tls-heartbeat vanilla zlib}
Installed versions: 0.9.8y(0.9.8)(11:06:09 PM 10/18/2013)(sse2 zlib -bindist -gmp -kerberos -test) 1.0.1f(12:57:54 PM 03/21/2014)(sse2 tls-heartbeat zlib
-bindist -gmp -kerberos -rfc3779 -static-libs -test -vanilla)
But what puzzle me is when I downgraded it to 1.0.0j (uneffected version) I could not restart apache. I was getting an error:
/etc/init.d/apache2 restart
* apache2 has detected an error in your setup:
apache2: Syntax error on line 125 of /etc/apache2/httpd.conf: Cannot load /usr/lib64/apache2/modules/mod_ssl.so into server: /usr/lib64/apache2/modules/mod_ssl.so:
undefined symbol: TLSv1_1_client_method
* ERROR: apache2 failed to stop
--
Joseph
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [gentoo-user] Heartbleed - using openssl-0.9.8y and affected
2014-04-28 18:34 ` Joseph
@ 2014-04-28 18:51 ` Mike Gilbert
2014-04-28 18:54 ` Mike Gilbert
1 sibling, 0 replies; 9+ messages in thread
From: Mike Gilbert @ 2014-04-28 18:51 UTC (permalink / raw
To: gentoo-user
On Mon, Apr 28, 2014 at 2:34 PM, Joseph <syscon780@gmail.com> wrote:
> But what puzzle me is when I downgraded it to 1.0.0j (uneffected version) I
> could not restart apache. I was getting an error:
>
> /etc/init.d/apache2 restart
> * apache2 has detected an error in your setup:
> apache2: Syntax error on line 125 of /etc/apache2/httpd.conf: Cannot load
> /usr/lib64/apache2/modules/mod_ssl.so into server:
> /usr/lib64/apache2/modules/mod_ssl.so: undefined symbol:
> TLSv1_1_client_method
> * ERROR: apache2 failed to stop
>
When you *downgrade* a shared library, you generally need to rebuild
all programs which are linked against that library. The newer library
version may provide additional symbols which would be missing from the
older version of the library. That's what that "undefined symbol"
error is about.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [gentoo-user] Heartbleed - using openssl-0.9.8y and affected
2014-04-28 18:34 ` Joseph
2014-04-28 18:51 ` Mike Gilbert
@ 2014-04-28 18:54 ` Mike Gilbert
2014-04-28 19:09 ` Joseph
1 sibling, 1 reply; 9+ messages in thread
From: Mike Gilbert @ 2014-04-28 18:54 UTC (permalink / raw
To: gentoo-user
On Mon, Apr 28, 2014 at 2:34 PM, Joseph <syscon780@gmail.com> wrote:
> No, I was wrong. I had both version istalled: 0.9.8y and 1.0.1f
> and the one that was in use was buggy one: 1.0.1f
> I recompile 1.0.1f without tls-heartbeat and the problem is solved.
>
Why not run emerge --sync and upgrade to 1.0.1g?
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [gentoo-user] Heartbleed - using openssl-0.9.8y and affected
2014-04-28 18:54 ` Mike Gilbert
@ 2014-04-28 19:09 ` Joseph
2014-04-28 20:05 ` Stroller
0 siblings, 1 reply; 9+ messages in thread
From: Joseph @ 2014-04-28 19:09 UTC (permalink / raw
To: gentoo-user
On 04/28/14 14:54, Mike Gilbert wrote:
>On Mon, Apr 28, 2014 at 2:34 PM, Joseph <syscon780@gmail.com> wrote:
>> No, I was wrong. I had both version istalled: 0.9.8y and 1.0.1f
>> and the one that was in use was buggy one: 1.0.1f
>> I recompile 1.0.1f without tls-heartbeat and the problem is solved.
>>
>
>Why not run emerge --sync and upgrade to 1.0.1g?
This is my running server so I try to upgrade backup first before upgrading main server.
I recompiled 1.0.1f without "tls-heartbeat" and it solved the problem.
--
Joseph
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [gentoo-user] Heartbleed - using openssl-0.9.8y and affected
2014-04-28 19:09 ` Joseph
@ 2014-04-28 20:05 ` Stroller
0 siblings, 0 replies; 9+ messages in thread
From: Stroller @ 2014-04-28 20:05 UTC (permalink / raw
To: gentoo-user
On Mon, 28 April 2014, at 8:09 pm, Joseph <syscon780@gmail.com> wrote:
> On 04/28/14 14:54, Mike Gilbert wrote:
>> On Mon, Apr 28, 2014 at 2:34 PM, Joseph <syscon780@gmail.com> wrote:
>>> No, I was wrong. I had both version istalled: 0.9.8y and 1.0.1f
>>> and the one that was in use was buggy one: 1.0.1f
>>> I recompile 1.0.1f without tls-heartbeat and the problem is solved.
>>>
>>
>> Why not run emerge --sync and upgrade to 1.0.1g?
>
> This is my running server so I try to upgrade backup first before upgrading main server.
> I recompiled 1.0.1f without "tls-heartbeat" and it solved the problem.
If you don't want to emerge --sync (and by implication "update everything"), you can download the ebuild for just this package and put it in /usr/local/portage
http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/dev-libs/openssl/openssl-1.0.1g.ebuild
Stroller.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [gentoo-user] Heartbleed - using openssl-0.9.8y and affected
2014-04-28 16:02 ` Joseph
2014-04-28 18:13 ` Tom Wijsman
@ 2014-04-28 23:58 ` Michael Orlitzky
1 sibling, 0 replies; 9+ messages in thread
From: Michael Orlitzky @ 2014-04-28 23:58 UTC (permalink / raw
To: gentoo-user
On 04/28/2014 12:02 PM, Joseph wrote:
>
> I'm using apache-2.2.25
> Which file contain setting for: SSLCompression
> I'm trying to turn it off.
>
It's on by default in apache-2.2. Place the following somewhere in
40_mod_ssl.conf, between "<IfModule ssl_module>" and "</IfModule>":
# Disable CRIME attack (off by default in apache-2.4)
SSLCompression off
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2014-04-28 23:58 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-04-28 15:17 [gentoo-user] Heartbleed - using openssl-0.9.8y and affected Joseph
2014-04-28 16:02 ` Joseph
2014-04-28 18:13 ` Tom Wijsman
2014-04-28 18:34 ` Joseph
2014-04-28 18:51 ` Mike Gilbert
2014-04-28 18:54 ` Mike Gilbert
2014-04-28 19:09 ` Joseph
2014-04-28 20:05 ` Stroller
2014-04-28 23:58 ` Michael Orlitzky
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox