Wondering if NSA already knew about heartbleed and was cracking google and FB and other servers so far.
now that its out people are rushing to fix it and we are also.
I saw a great into to heartbleed at http://vimeo.com/91425662
so if you run this it would tell you what version of openssl nginx is using
ldd `which nginx` | grep ssl
libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007f6d0c0cf000)
and now if you do this it would tell you if you are vulnerable
strings /usr/lib64/libssl.so.10 | grep "^OpenSSL "
OpenSSL 1.0.1e-fips 11 Feb 2013
if you have anything between 1.0.1. and 1.0.1f you are vulnerable, perconna guys have a nice post on same http://www.mysqlperformanceblog.com/2014/04/08/openssl-heartbleed-cve-2014-0160/
CentOS has released patch to current stable release and to fix all you need to do is update centOS or recompile nginx and disable heartbleed.
to update centOS run "sudo yum update openssl" and restart services using openssl like nginx,mysql,apache.
to verify if its fixed run
http://possible.lv/tools/hb/?domain=uat.xyz.com
http://filippo.io/Heartbleed/#qa.xyz.com
now that its out people are rushing to fix it and we are also.
I saw a great into to heartbleed at http://vimeo.com/91425662
so if you run this it would tell you what version of openssl nginx is using
ldd `which nginx` | grep ssl
libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007f6d0c0cf000)
and now if you do this it would tell you if you are vulnerable
strings /usr/lib64/libssl.so.10 | grep "^OpenSSL "
OpenSSL 1.0.1e-fips 11 Feb 2013
if you have anything between 1.0.1. and 1.0.1f you are vulnerable, perconna guys have a nice post on same http://www.mysqlperformanceblog.com/2014/04/08/openssl-heartbleed-cve-2014-0160/
CentOS has released patch to current stable release and to fix all you need to do is update centOS or recompile nginx and disable heartbleed.
to update centOS run "sudo yum update openssl" and restart services using openssl like nginx,mysql,apache.
to verify if its fixed run
http://possible.lv/tools/hb/?domain=uat.xyz.com
http://filippo.io/Heartbleed/#qa.xyz.com
Good video, even for non tech folks. BTW I also like this comic: Heartbleed Explanation
ReplyDeletehttp://xkcd.com/1354/