Results 1 to 6 of 6

Thread: Heartbleed and SuSE Servers!

  1. #1

    Exclamation Heartbleed and SuSE Servers!

    Hi Guys!

    Recently there has a been a lot of news about this new vulnerability being reported.
    I went through this document: http://www.novell.com/support/kb/doc.php?id=7014878 and it does tell you that there is nothing worry since our components do not use OpenSSL.

    I was wondering if there is way where I can manually check and confirm if my SuSE Servers are safe from this vulnerability?

    Any pointers?
    Any other methods?

    Thank you,
    - ddgaikwad

  2. Re: Heartbleed and SuSE Servers!

    Hi ddgaikwad,
    Quote Originally Posted by ddgaikwad View Post
    Hi Guys!

    Recently there has a been a lot of news about this new vulnerability being reported.
    I went through this document: http://www.novell.com/support/kb/doc.php?id=7014878 and it does tell you that there is nothing worry since our components do not use OpenSSL.

    I was wondering if there is way where I can manually check and confirm if my SuSE Servers are safe from this vulnerability?

    Any pointers?
    Any other methods?

    Thank you,
    - ddgaikwad
    from that TID you referenced (it may have been updated since you loaded it):
    To test whether your site is vulnerable, simply go to https://www.ssllabs.com/ssltest and put in your public domain in there before running the test.
    And SLES indeed does provide Openssl libraries - just in an unaffected version...

    Regards,
    Jens
    From the times when today's "old school" was "new school"

    If you find this post helpful and are logged into the web interface, show your appreciation and click on the star below...

  3. Re: Heartbleed and SuSE Servers!

    On Thu 10 Apr 2014 03:14:01 PM CDT, ddgaikwad wrote:


    Hi Guys!

    Recently there has a been a lot of news about this new vulnerability
    being reported.
    I went through this document:
    http://www.novell.com/support/kb/doc.php?id=7014878 and it does tell you
    that there is nothing worry since our components do not use OpenSSL.

    I was wondering if there is way where I can manually check and confirm
    if my SuSE Servers are safe from this vulnerability?

    Any pointers?
    Any other methods?

    Thank you,
    - ddgaikwad


    Hi
    I used this PoC https://gist.github.com/sh1n0b1/10100394

    --
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    openSUSE 13.1 (Bottle) (x86_64) GNOME 3.10.1 Kernel 3.11.10-7-desktop
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!


  4. #4

    Re: Heartbleed and SuSE Servers!

    Just ask the OS which version of OpenSSL it is using (0.9.8) and then
    compare with the affected version (1.0.1 through 1.0.1f) and you're done.

    rpm -qi openssl

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  5. #5

    Re: Heartbleed and SuSE Servers!

    On 10/04/2014 16:45, ab wrote:

    > Just ask the OS which version of OpenSSL it is using (0.9.8) and then
    > compare with the affected version (1.0.1 through 1.0.1f) and you're done.
    >
    > rpm -qi openssl


    Just because OpenSSL 1.0.1 through 1.0.1f is vulnerable doesn't mean
    that if "rpm -qi openssl" reports 1.0.1 through 1.0.1f then you are
    vulnerable since it's possible that you might have a packaged version of
    OpenSSL with relevant fix(es) implemented.

    This is the case with openSUSE 12.3 and 13.1 where they had and still
    have OpenSSL 1.0.1e but the difference is latest packages include fix
    for Heartbleed vulnerability.

    HTH.
    --
    Simon
    SUSE Knowledge Partner

    ------------------------------------------------------------------------
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below. Thanks.
    ------------------------------------------------------------------------

  6. #6

    Re: Heartbleed and SuSE Servers!

    > Just because OpenSSL 1.0.1 through 1.0.1f is vulnerable doesn't mean
    > that if "rpm -qi openssl" reports 1.0.1 through 1.0.1f then you are
    > vulnerable since it's possible that you might have a packaged version
    > of OpenSSL with relevant fix(es) implemented.
    >
    > This is the case with openSUSE 12.3 and 13.1 where they had and still
    > have OpenSSL 1.0.1e but the difference is latest packages include fix
    > for Heartbleed vulnerability.


    Well-noted, but this is a SLE forum, and while being on 1.0.1e (or even up
    through 1.0.1f) does not mean you are vulnerable, NOT being on 1.0.1 at
    all DOES mean you are not vulnerable in all cases just like being on
    1.0.1g or later. In SLE, you're on 0.9.8.


    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •