does this bug affect us?

[toukie]

http://heartbleed.com/

[RandomUsername]

From the linked page:

OpenSSL 0.9.8 branch is NOT vulnerable

From my up to date B3:

Code: Select all

$ apt-cache policy openssl
openssl:
  Installed: 0.9.8o-4squeeze14
  Candidate: 0.9.8o-4squeeze14
  Version table:
 *** 0.9.8o-4squeeze14 0
        500 http://ftp.se.debian.org/debian/ squeeze
/main armel Packages
        600 http://b3.update.excito.org/ upstream_sq
ueeze/main armel Packages
        100 /var/lib/dpkg/status

So, no?

[DanielM]

So, no?

That was my conclusion as well when I saw the bug. Maybe sometimes being on a very old version is a good thing, right

/Daniel

[Gordon]

Not always. Remember the PHP CGI bug?

As for openssl, we don't know if the heartbeat bug was introduced by fixing another bug or introducing a new feature. To really know whether 0.9.8 is safer than 1.0.x one should plough through the changelogs.

[RandomUsername]

I've been playing with some of the tools for testing this vulnerability. So far, the only vulnerable site I've found is this one!

Code: Select all

$ ./heartbleeder forum.excito.net
VULNERABLE - forum.excito.net:443 has the heartbeat extension enabled and is vulnerable to CVE-2014-0160

[EDIT]There's an online checker for anyone who's interested: filippo.io/Heartbleed/

[johannes]

Yes, we have gone through all our servers now and the only one affected was this forum (patched now). Since we cannot guarantee anything, you might want to consider changing your passwords here.