Page 1 of 1
does this bug affect us?
Posted: 08 Apr 2014, 14:11
by toukie
Re: does this bug affect us?
Posted: 08 Apr 2014, 14:48
by RandomUsername
From the linked page:
OpenSSL 0.9.8 branch is NOT vulnerable
From my up to date B3:
Code: Select all
$ apt-cache policy openssl
openssl:
Installed: 0.9.8o-4squeeze14
Candidate: 0.9.8o-4squeeze14
Version table:
*** 0.9.8o-4squeeze14 0
500 http://ftp.se.debian.org/debian/ squeeze
/main armel Packages
600 http://b3.update.excito.org/ upstream_sq
ueeze/main armel Packages
100 /var/lib/dpkg/status
So, no?
Re: does this bug affect us?
Posted: 09 Apr 2014, 02:24
by DanielM
RandomUsername wrote:So, no?
That was my conclusion as well when I saw the bug. Maybe sometimes being on a very old version is a good thing, right
/Daniel
Re: does this bug affect us?
Posted: 09 Apr 2014, 07:31
by Gordon
Not always. Remember the PHP CGI bug?
As for openssl, we don't know if the heartbeat bug was introduced by fixing another bug or introducing a new feature. To really know whether 0.9.8 is safer than 1.0.x one should plough through the changelogs.
Re: does this bug affect us?
Posted: 10 Apr 2014, 06:04
by RandomUsername
I've been playing with some of the tools for testing this vulnerability. So far, the only vulnerable site I've found is this one!
Code: Select all
$ ./heartbleeder forum.excito.net
VULNERABLE - forum.excito.net:443 has the heartbeat extension enabled and is vulnerable to CVE-2014-0160
[EDIT]There's an online checker for anyone who's interested:
filippo.io/Heartbleed/
Re: does this bug affect us?
Posted: 11 Apr 2014, 03:20
by johannes
Yes, we have gone through all our servers now and the only one affected was this forum (patched now). Since we cannot guarantee anything, you might want to consider changing your passwords here.