Heartbleed and SuSE Servers!

Hi Guys!

Recently there has a been a lot of news about this new vulnerability being reported.
I went through this document: http://www.novell.com/support/kb/doc.php?id=7014878 and it does tell you that there is nothing worry since our components do not use OpenSSL.

I was wondering if there is way where I can manually check and confirm if my SuSE Servers are safe from this vulnerability?

Any pointers?
Any other methods?

Thank you,

  • ddgaikwad

Hi ddgaikwad,

[QUOTE=ddgaikwad;20416]Hi Guys!

Recently there has a been a lot of news about this new vulnerability being reported.
I went through this document: http://www.novell.com/support/kb/doc.php?id=7014878 and it does tell you that there is nothing worry since our components do not use OpenSSL.

I was wondering if there is way where I can manually check and confirm if my SuSE Servers are safe from this vulnerability?

Any pointers?
Any other methods?

Thank you,

  • ddgaikwad[/QUOTE]

from that TID you referenced (it may have been updated since you loaded it):

And SLES indeed does provide Openssl libraries - just in an unaffected version…

Regards,
Jens

Hi
I used this PoC https://gist.github.com/sh1n0b1/10100394


Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
openSUSE 13.1 (Bottle) (x86_64) GNOME 3.10.1 Kernel 3.11.10-7-desktop
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!

Just ask the OS which version of OpenSSL it is using (0.9.8) and then
compare with the affected version (1.0.1 through 1.0.1f) and you’re done.

rpm -qi openssl


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

On 10/04/2014 16:45, ab wrote:
[color=blue]

Just ask the OS which version of OpenSSL it is using (0.9.8) and then
compare with the affected version (1.0.1 through 1.0.1f) and you’re done.

rpm -qi openssl[/color]

Just because OpenSSL 1.0.1 through 1.0.1f is vulnerable doesn’t mean
that if “rpm -qi openssl” reports 1.0.1 through 1.0.1f then you are
vulnerable since it’s possible that you might have a packaged version of
OpenSSL with relevant fix(es) implemented.

This is the case with openSUSE 12.3 and 13.1 where they had and still
have OpenSSL 1.0.1e but the difference is latest packages include fix
for Heartbleed vulnerability.

HTH.

Simon
SUSE Knowledge Partner


If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.

Just because OpenSSL 1.0.1 through 1.0.1f is vulnerable doesn’t mean[color=blue]
that if “rpm -qi openssl” reports 1.0.1 through 1.0.1f then you are
vulnerable since it’s possible that you might have a packaged version
of OpenSSL with relevant fix(es) implemented.

This is the case with openSUSE 12.3 and 13.1 where they had and still
have OpenSSL 1.0.1e but the difference is latest packages include fix
for Heartbleed vulnerability.[/color]

Well-noted, but this is a SLE forum, and while being on 1.0.1e (or even up
through 1.0.1f) does not mean you are vulnerable, NOT being on 1.0.1 at
all DOES mean you are not vulnerable in all cases just like being on
1.0.1g or later. In SLE, you’re on 0.9.8.


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…