Massive security bug in OpenSSL

[Johan de Klerk]

Hi,

For everyone that uses OpenSSL:

Massive security bug may leave SA sites vulnerable: http://mybroadband.co.za/news/security/100204-massive-security-bug-may-leave-sa-sites-vulnerable.html

TLS heartbeat read overrun (CVE-2014-0160): https://www.openssl.org/news/secadv_20140407.txt

OpenSSL 1.0.1g is now available, including bug and security fixes: https://www.openssl.org/source/

Regards

Johan de Klerk

[Bruce]

I have got the new OpenSSL build and will make it available in a NT8 and NT7 build soon. the updated binaries are also attached to this post. NT6 users are not affected as NT6 uses an earlier version of OpenSSL without this bug.


[attachment deleted by admin]

[Bruce]

Update:

If you are not sure if your site is affected or not you can use;
http://filippo.io/Heartbleed/

Sites built using NetTalk 7.10 and earlier are using older OpenSSL DLL's and so are not affected.

Sites using 7.11 or later are recommended to get the 7.39 update and use the OpenSSL DLL's from there. (Or just download the DLL's directly from my earlier post and place them in the application folder)

Sites built with NT8 are recommended to update to NT8.07 or later, or use the DLL's mentioned above.

Cheers
Bruce

[CaseyR]

Hi, Bruce

Just to confirm.   I have updated to NT7.39 but I noticed that in the accessories\bin folder that while the OpenSSL.exe and CLANet.dll are dated April 2014,  the ssl dlls are all dated years ago.   It is a reversion to get us over the crisis, right?  There weren't new dll's that somehow did not get installed or not included in the setup archive?

Thanks.

[Bruce]

Hi Casey,

no, that doesn't sound right. The DLL's should be version 1.0.1g.
I've rebuilt the install, and re-uploaded just to be sure, but as far as I can tell the dll's in the install were indeed 1.0.1g ones.

Note that if the DLL's are in use when you install the update, then you may need to reboot the machine for the install to complete. Usually the install warns you about that though.

Cheers
Bruce

[CaseyR]

Thanks, Bruce

I downloaded and ran the setup again which fixed the problem.

[sstockst]

>> If you are not sure if your site is affected or not you can use;
>> http://filippo.io/Heartbleed/

Using NetTalk 4.5.x build from 2011.
Sites using OpenSSL 0.9.8 appear to be timing out using the suggested test sites now.

Is anyone else seeing this issue?
Thanks

[Bruce]

Hi Steven,

While OpenSSL 0.9.8 might be immune to Heartbleed, that doesn't mean it isn't susceptible to other things. You probably want to update that at some point.

As a general rule it's better to be on later. (Heartbleed is maybe an exception to that logic <g>)

Here's another test URL you can use;
https://www.ssllabs.com/ssltest/index.html

Cheers
Bruce