[AusNOG] Heartbleed Bug

Colin Stubbs colin.stubbs at equatetechnologies.com.au
Tue Apr 8 19:04:51 EST 2014


Also, from what ive seen that test is rubbish as it doesn't take into
account packages with a backported fix.

The online test actually does a memory read of what it has already sent,
which validates real vulnerability.
On 08/04/2014 5:08 pm, "Mark Ashley" <mark at ibiblio.org> wrote:

> Depending on the testing methodology, you can get incorrect results too.
> This command is floating around as a test at the moment:
>
> % openssl s_client -connect yourhost.example.com:443 -tlsextdebug |& grep
> 'server extension "heartbeat" (id=15)' || echo safe
>
> But it'll falsely report 'safe' when this occurs:
>
> % openssl s_client -connect not-in-dns.example.com:443 -tlsextdebug
> gethostbyname failure
> connect:errno=0
>
>
>
> On Tue, Apr 8, 2014 at 4:58 PM, Peter Tonoli <peter at medstv.unimelb.edu.au>wrote:
>
>> Mea culpa.. The installed Debian package was unaffected, however the
>> custom compiled NGinx had a vulnerable OpenSSL statically compiled (which
>> is why I thought it was a false positive).
>>
>> ----- Original Message -----
>> > From: "Nathan Brookfield" <Nathan.Brookfield at simtronic.com.au>
>> > To: "Peter Tonoli" <peter at medstv.unimelb.edu.au>, "Tim Groeneveld" <
>> tim at timg.ws>
>> > Cc: ausnog at lists.ausnog.net
>> > Sent: Tuesday, 8 April, 2014 3:20:49 PM
>> > Subject: RE: [AusNOG] Heartbleed Bug
>> > After some tests I just did, the site seems 100% correct over the 5 or
>> > 6 boxes I just checked. I did have to restart the Apache daemon for
>> > the updated packages to take affect though.
>> >
>> > -----Original Message-----
>> > From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of
>> > Peter Tonoli
>> > Sent: Tuesday, 8 April 2014 3:09 PM
>> > To: Tim Groeneveld
>> > Cc: ausnog at lists.ausnog.net
>> > Subject: Re: [AusNOG] Heartbleed Bug
>> >
>> >
>> > > ----- Original Message -----
>> > > > Hi All,
>> > > >   Now the general public are aware of the Heartbleed bug
>> > > > http://heartbleed.com/ for SSL does anyone have any information
>> > > > about what routers/switches/load balancers network components may
>> > > > be
>> > > > linked with this effected library. I would think that the server
>> > > > people would have this well in hand but perhaps we may be missing
>> > > > some critical info of what's buried inside our network kit.
>> > >
>> > >
>> > > You might find this handy:
>> > >
>> > > http://filippo.io/Heartbleed/
>> >
>> > I'm not entirely sure that it is handy. I've tested it on a host that
>> > seems to be running a non-vulnerable version of OpenSSL, yet gets
>> > flagged as being vulnerable on this site..
>> >
>> > --
>> > Peter Tonoli < peter at medstv.unimelb.edu.au > +61-3-9288-2399 IT
>> > Manager The University of Melbourne - Eastern Hill Academic Centre,
>> > St. Vincent's Institute and O'Brien Institute
>> > _______________________________________________
>> > AusNOG mailing list
>> > AusNOG at lists.ausnog.net
>> > http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>> --
>> Peter Tonoli < peter at medstv.unimelb.edu.au > +61-3-9288-2399
>> IT Manager
>> The University of Melbourne - Eastern Hill Academic Centre, St. Vincent's
>> Institute and O'Brien Institute
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140408/f922ce55/attachment.html>


More information about the AusNOG mailing list