[olug] Heartbleed

unfy olug at unfy.org
Thu Apr 10 03:43:15 UTC 2014


This has gotten a fair bit of press, which is good.  Reminds me of the 
debian cert issues / rng / 64k etc thing :D.

At my work, our policy tends to be 'if it aint broke, dont fix it'.

Thus, none of our stuff was running the 1.x branch of openssl stuff, all 
of it's 0.9.x stuff.

No massive run around to 400+ locations to fix openssl stuff for 
meeeeeee yay!

-Will

On 4/9/2014 6:39 PM, Justin Reiners wrote:
> Yes over the next few days I will be changing certs as well as passwords on
> the entire network. We are waiting for certs to be reissued now. All
> outward facing servers are patched now. Working on the rest tomorrow
>
> Luckily patching is a piece of cake.
> On Apr 9, 2014 6:12 PM, "Jeff Hinrichs - DM&T" <jeffh at dundeemt.com> wrote:
>
>> Admins: Not only certs but you should force users to change their
>> passwords.
>>
>> Users: If you haven't changed your passwords in a while/ever now is the
>> time.  Password managers are your friend.
>>
>> Last article I saw was estimating 2/3 of the internet was affected.
>>   Personally, our systems were 50% affected.  If you were vulnerable, you
>> have to assume you were compromised.
>>
>> -j
>>
>>
>> On Wed, Apr 9, 2014 at 6:01 PM, Tom Fritz <tfritz at me.com> wrote:
>>
>>>> I will assume that the slow traffic on the mailing list tonight is
>>>> because we are all busy checking our systems for the openssl heartbleed
>>>> vulnerability.
>>>>
>>>> If you aren't, you should be.
>>>>
>>>> RHEL/CentOS folks, please see this note:
>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1084875#c9
>>>>
>>>> Red Hat announcement:
>>>> https://access.redhat.com/site/announcements/781953
>>>>
>>>> Fedora Announcement:
>>>>
>> https://lists.fedoraproject.org/pipermail/announce/2014-April/003205.html
>>>          There appears to be some confusion if applying the fix is enough.
>>> If your server has been compromised you need to regen/replace your certs
>>> after installing the fixed openssl. I have talked with some folks and
>> they
>>> think updating the openssl is enough and it may not be. You can't detect
>> if
>>> your system has been compromised. I also haven't seen an IDS/IPS
>> signature
>>> released. If someone otherwise please share.
>>>
>>> Tom.
>>> _______________________________________________
>>> OLUG mailing list
>>> OLUG at olug.org
>>> https://lists.olug.org/mailman/listinfo/olug
>>>
>>
>>
>> --
>> Best,
>>
>> Jeff Hinrichs
>> 402.218.1473
>> _______________________________________________
>> OLUG mailing list
>> OLUG at olug.org
>> https://lists.olug.org/mailman/listinfo/olug
>>
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug
>



More information about the OLUG mailing list