NetTalk Central

Author Topic: Massive security bug in OpenSSL  (Read 5850 times)

Johan de Klerk

  • Full Member
  • ***
  • Posts: 217
  • Johan de Klerk
    • View Profile
    • Designer Software
Massive security bug in OpenSSL
« on: April 08, 2014, 11:47:20 PM »
Hi,

For everyone that uses OpenSSL:

Massive security bug may leave SA sites vulnerable: http://mybroadband.co.za/news/security/100204-massive-security-bug-may-leave-sa-sites-vulnerable.html

TLS heartbeat read overrun (CVE-2014-0160): https://www.openssl.org/news/secadv_20140407.txt

OpenSSL 1.0.1g is now available, including bug and security fixes: https://www.openssl.org/source/

Regards

Johan de Klerk
Clarion 10, NT 11.57

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11250
    • View Profile
Re: Massive security bug in OpenSSL
« Reply #1 on: April 09, 2014, 05:18:30 AM »
I have got the new OpenSSL build and will make it available in a NT8 and NT7 build soon. the updated binaries are also attached to this post. NT6 users are not affected as NT6 uses an earlier version of OpenSSL without this bug.


[attachment deleted by admin]

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11250
    • View Profile
Re: Massive security bug in OpenSSL
« Reply #2 on: April 10, 2014, 04:44:49 AM »
Update:

If you are not sure if your site is affected or not you can use;
http://filippo.io/Heartbleed/

Sites built using NetTalk 7.10 and earlier are using older OpenSSL DLL's and so are not affected.

Sites using 7.11 or later are recommended to get the 7.39 update and use the OpenSSL DLL's from there. (Or just download the DLL's directly from my earlier post and place them in the application folder)

Sites built with NT8 are recommended to update to NT8.07 or later, or use the DLL's mentioned above.

Cheers
Bruce


CaseyR

  • Sr. Member
  • ****
  • Posts: 448
    • View Profile
    • Email
Re: Massive security bug in OpenSSL
« Reply #3 on: April 11, 2014, 01:57:21 PM »
Hi, Bruce

Just to confirm.   I have updated to NT7.39 but I noticed that in the accessories\bin folder that while the OpenSSL.exe and CLANet.dll are dated April 2014,  the ssl dlls are all dated years ago.   It is a reversion to get us over the crisis, right?  There weren't new dll's that somehow did not get installed or not included in the setup archive?

Thanks.

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11250
    • View Profile
Re: Massive security bug in OpenSSL
« Reply #4 on: April 14, 2014, 12:51:42 AM »
Hi Casey,

no, that doesn't sound right. The DLL's should be version 1.0.1g.
I've rebuilt the install, and re-uploaded just to be sure, but as far as I can tell the dll's in the install were indeed 1.0.1g ones.

Note that if the DLL's are in use when you install the update, then you may need to reboot the machine for the install to complete. Usually the install warns you about that though.

Cheers
Bruce

CaseyR

  • Sr. Member
  • ****
  • Posts: 448
    • View Profile
    • Email
Re: Massive security bug in OpenSSL
« Reply #5 on: April 14, 2014, 11:11:27 AM »
Thanks, Bruce

I downloaded and ran the setup again which fixed the problem.

sstockst

  • Newbie
  • *
  • Posts: 7
    • View Profile
    • Email
Re: Massive security bug in OpenSSL
« Reply #6 on: April 16, 2014, 05:51:54 AM »
>> If you are not sure if your site is affected or not you can use;
>> http://filippo.io/Heartbleed/

Using NetTalk 4.5.x build from 2011.
Sites using OpenSSL 0.9.8 appear to be timing out using the suggested test sites now.

Is anyone else seeing this issue?
Thanks


Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11250
    • View Profile
Re: Massive security bug in OpenSSL
« Reply #7 on: April 16, 2014, 08:27:30 PM »
Hi Steven,

While OpenSSL 0.9.8 might be immune to Heartbleed, that doesn't mean it isn't susceptible to other things. You probably want to update that at some point.

As a general rule it's better to be on later. (Heartbleed is maybe an exception to that logic <g>)

Here's another test URL you can use;
https://www.ssllabs.com/ssltest/index.html

Cheers
Bruce