Koozali.org: home of the SME Server

Obsolete Releases => SME Server 8.x => Topic started by: kruhm on April 10, 2014, 05:27:34 PM

Title: Heartbleed Bug - SME Server 8.x NOT affected
Post by: kruhm on April 10, 2014, 05:27:34 PM: Hi,

So in the past 48 hours I've gotten more than 4 messages from vendors (FoxyCart, Mailchimp, Freshbooks, etc) about the Heartbleed Bug. It was even on the Today show.

There are a lot of different write ups about this. It looks as if the OpenSSL 0.9.8 branch is not vulnerable. So V8 should be fine.
Code: [Select]
# openssl version OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
And it looks like v9 has a concern that was already raised and patched by the quick acting CharlieBrady here:
http://bugs.contribs.org/show_bug.cgi?id=8318

Just looking for re-assurance that the OpenSSL in v8 is OK.

Thanks,
Title: Re: Heartbleed Bug
Post by: CharlieBrady on April 10, 2014, 06:38:14 PM: Quote from: kruhm on April 10, 2014, 05:27:34 PM
Just looking for re-assurance that the OpenSSL in v8 is OK.

You are correct, it is.
Title: Re: Heartbleed Bug
Post by: hawk on April 11, 2014, 06:16:02 AM: not sure of this is the correct web site to use but this is the link i used to test my servers, all passed

http://filippo.io/Heartbleed/

thanks
john
Title: Re: Heartbleed Bug - SME Server 8.x NOT affected
Post by: wellsi on April 12, 2014, 12:17:53 AM: Upstream have confirmed that RHEL 5, which is used in Cos 5 and therefore SME Server 8 are not affected.

http://www.openssl.org/news/secadv_20140407.txt
https://access.redhat.com/security/cve/CVE-2014-0160

From RedHat:
This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6.4 and earlier, Red Hat JBoss Enterprise Application Platform 5 and 6, and Red Hat JBoss Web Server 1 and 2. This issue does affect Red Hat Enterprise Linux 6.5, Red Hat Enterprise Virtualization Hypervisor 6.5, and Red Hat Storage 2.1, which provided openssl 1.0.1e. Errata have been released to correct this issue.

https://access.redhat.com/site/announcements/781953
Title: Re: Heartbleed Bug - SME Server 8.x NOT affected
Post by: Stefano on April 12, 2014, 01:33:07 PM: FYI, I've just tested a SME 7.6 and it seems not affected too
Title: Re: Heartbleed Bug - SME Server 8.x NOT affected
Post by: wellsi on April 14, 2014, 01:17:57 AM: Quote from: Stefano on April 12, 2014, 01:33:07 PM
FYI, I've just tested a SME 7.6 and it seems not affected too

However there have been no updates for 7.6 for a long time as it went EOL last year. Anyone using 7.6 should really move to SME 8, or even SME 9 (if they are happy that SME 9 is still in Beta).
Title: Re: Heartbleed Bug - SME Server 8.x NOT affected
Post by: CharlieBrady on April 14, 2014, 01:26:31 AM: Quote from: Stefano on April 12, 2014, 01:33:07 PM
FYI, I've just tested a SME 7.6 ...

Doesn't sounds like a good use of your time ...

Quote
and it seems not affected too

We could have told you that... :-)
Title: Re: Heartbleed Bug - SME Server 8.x NOT affected
Post by: Stefano on April 14, 2014, 10:44:23 PM: @Charlie.. I have many 7.x still working and online ;-)
Title: Re: Heartbleed Bug - SME Server 8.x NOT affected
Post by: CharlieBrady on April 14, 2014, 10:55:18 PM: Quote from: Stefano on April 14, 2014, 10:44:23 PM
@Charlie.. I have many 7.x still working and online ;-)

That doesn't sounds like something one should boast about. :-)