Heartbleed Bug - SME Server 8.x NOT affected

kruhm

680
+0/-0

Heartbleed Bug - SME Server 8.x NOT affected

« on: April 10, 2014, 05:27:34 PM »

Hi,

So in the past 48 hours I've gotten more than 4 messages from vendors (FoxyCart, Mailchimp, Freshbooks, etc) about the Heartbleed Bug. It was even on the Today show.

There are a lot of different write ups about this. It looks as if the OpenSSL 0.9.8 branch is not vulnerable. So V8 should be fine.

Code: [Select]

# openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

And it looks like v9 has a concern that was already raised and patched by the quick acting CharlieBrady here:
http://bugs.contribs.org/show_bug.cgi?id=8318

Just looking for re-assurance that the OpenSSL in v8 is OK.

Thanks,

« Last Edit: April 12, 2014, 12:12:59 AM by wellsi »

Logged

CharlieBrady

6,918
+3/-0

Re: Heartbleed Bug

« Reply #1 on: April 10, 2014, 06:38:14 PM »

Quote from: kruhm on April 10, 2014, 05:27:34 PM

Just looking for re-assurance that the OpenSSL in v8 is OK.

You are correct, it is.

Logged

hawk

141
+0/-0

Re: Heartbleed Bug

« Reply #2 on: April 11, 2014, 06:16:02 AM »

not sure of this is the correct web site to use but this is the link i used to test my servers, all passed

http://filippo.io/Heartbleed/

thanks
john

Logged

wellsi

475
+0/-0

Re: Heartbleed Bug - SME Server 8.x NOT affected

« Reply #3 on: April 12, 2014, 12:17:53 AM »

Upstream have confirmed that RHEL 5, which is used in Cos 5 and therefore SME Server 8 are not affected.

http://www.openssl.org/news/secadv_20140407.txt
https://access.redhat.com/security/cve/CVE-2014-0160

From RedHat:
This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6.4 and earlier, Red Hat JBoss Enterprise Application Platform 5 and 6, and Red Hat JBoss Web Server 1 and 2. This issue does affect Red Hat Enterprise Linux 6.5, Red Hat Enterprise Virtualization Hypervisor 6.5, and Red Hat Storage 2.1, which provided openssl 1.0.1e. Errata have been released to correct this issue.

https://access.redhat.com/site/announcements/781953

Logged

............

Stefano

10,894
+3/-0

Re: Heartbleed Bug - SME Server 8.x NOT affected

« Reply #4 on: April 12, 2014, 01:33:07 PM »

FYI, I've just tested a SME 7.6 and it seems not affected too

Logged

wellsi

475
+0/-0

Re: Heartbleed Bug - SME Server 8.x NOT affected

« Reply #5 on: April 14, 2014, 01:17:57 AM »

Quote from: Stefano on April 12, 2014, 01:33:07 PM

FYI, I've just tested a SME 7.6 and it seems not affected too

However there have been no updates for 7.6 for a long time as it went EOL last year. Anyone using 7.6 should really move to SME 8, or even SME 9 (if they are happy that SME 9 is still in Beta).

Logged

............