Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 15
Is it just me or does it seem kind of fishy that the Heartbleed Bug hit the airwaves at the same time as when XP reached End of Life. When ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Engineer TNFrank's Avatar
    Join Date
    Jul 2013
    Location
    Crossville, TN. USA
    Posts
    967

    Heartbleed Bug at the same time as XP EOL, interesting.


    Is it just me or does it seem kind of fishy that the Heartbleed Bug hit the airwaves at the same time as when XP reached End of Life. When so many folks are going to switch to Linux for their solution to XP reaching EOL to keep an Op System working on their older hardware and the news about the Heartbleed Bug, which effects OpenSSL which is what Linux and other Open Sources stuff uses to make a secure connection uses.
    By a strange twist of "fate" MicroSoft doesn't use OpenSSL so it's secure.
    I'd almost think it was something planned by MicroSoft to scare folks out of moving to Linux and moving to new hardware with Windows 8.1 instead.

    Anyone else think there's more going on here then meets the eye?
    No matter where ya' go, there ya' are.

  2. #2
    Linux Guru
    Join Date
    Dec 2013
    Posts
    1,565
    I doubt it - lots of software that runs on Windows uses OpenSSL as well.

  3. #3
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,423
    I think the same. Not every coincidence is worth a conspiracy theory.

    But I stumbled on this article, and the guy has a point:
    http://lorddoig.svbtle.com/heartblee...-x509-to-death
    You must always face the curtain with a bow.

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Guru
    Join Date
    Dec 2013
    Posts
    1,565
    A good point. One I've often thought myself.

  6. #5
    Linux Engineer TNFrank's Avatar
    Join Date
    Jul 2013
    Location
    Crossville, TN. USA
    Posts
    967
    Quote Originally Posted by gregm View Post
    I doubt it - lots of software that runs on Windows uses OpenSSL as well.
    "Runs On" but not MicroSoft/Windows it's self so if you have a Windows Server that's https it'll use something different for the "s" then OpenSSL. Apache on the other hand being Open Source does use OpenSSL.
    I also noticed that on an update on the grandkids desktop that's running SolydX that's Debian Testing that they upgraded from OpenSSL 1.0.1e to 1.0.1g which is the secure version but on Kali and Point Linux that they only "upgraded" to OpenSSL 1.0.1e which still has the Bug in it. Not sure if they've added a patch to 1.0.1e or what but seems like Debian should throw caution to the wind and move to 1.0.1g even on their Stable installs just to be safe.
    Wonder if there's anyway to just download a .deb package that'd be 1.0.1g and install it in place of 1.0.1e just for peace of mind?
    No matter where ya' go, there ya' are.

  7. #6
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,423
    There is the concept of backports for stable distributions.
    An updated debian is no longer vulnerable to CVE-2014-0160
    http://www.debian.org/security/2014/dsa-2896
    You must always face the curtain with a bow.

  8. #7
    Linux Guru
    Join Date
    Dec 2013
    Posts
    1,565
    OpenSSL isn't Linux. There are other libaries available on Linux. Microsoft software likely uses SChannel but Apache on MS Windows probably uses OpenSSL.

  9. #8
    Linux Engineer docbop's Avatar
    Join Date
    Nov 2009
    Location
    Woodshed, CA
    Posts
    949
    Here the guy who created the bug says it wasn't intentional, no conspiracy.

    http://www.smh.com.au/it-pro/securit...410-zqta1.html

    For the coders out there here's an breakdown of the bug.
    http://www.theregister.co.uk/2014/04...leed_explained
    Last edited by docbop; 04-11-2014 at 09:16 PM.
    A lion does not lose sleep, over the opinion of sheep.

  10. #9
    Linux Engineer TNFrank's Avatar
    Join Date
    Jul 2013
    Location
    Crossville, TN. USA
    Posts
    967
    Just to be safe I've added Debian Testing Repos to my Kali install in sources.list. Doing an update as we speak.

    deb http://ftp.us.debian.org/debian testing main contrib non-free
    deb-src http://ftp.us.debian.org/debian testing main contrib non-free

    deb http://ftp.debian.org/debian/ jessie-updates main contrib non-free
    deb-src http://ftp.debian.org/debian/ jessie-updates main contrib non-free

    deb http://security.debian.org/ jessie/updates main contrib non-free
    deb-src http://security.debian.org/ jessie/updates main contrib non-free

    Need to do my other 3 laptops as well.

    P.S.
    Ok, just saw this in your link:
    "For the stable distribution (wheezy), this problem has been fixed in version 1.0.1e-2+deb7u5."
    So I guess 1.0.1e is ok with the -2+deb7u5 patch added to it. Looks like I've done a sources.list upgrade for no reason,LOL
    No matter where ya' go, there ya' are.

  11. #10
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,423
    You shouldnt add a repository that isnt made for your distribution.
    This will cause package dependency errors, missing/additional files and non-working libraries and tools.
    You must always face the curtain with a bow.

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •