[CentOS] CVE-2014-0160 CentOS 6 openssl heartbleed workaround
Robert Arkiletian
robark at gmail.com
Tue Apr 8 21:35:42 UTC 2014
On Tue, Apr 8, 2014 at 2:08 PM, Keith Keller
<kkeller at wombat.san-francisco.ca.us> wrote:
> On 2014-04-08, Robert Arkiletian <robark at gmail.com> wrote:
>>
>> if you include libcrypto in the grep then sshd is affected.
>
> That's unfortunate. :( Is the bug in libssl, libcrypto, or both?
>
> Since sshd is in doubt, I would like to force my users to change their
> password, which is stored on a central openldap server. What's the
> canonical CentOS way to do this? I've done some web searches for some
> answers, but haven't found anything really definitive, just some
> workarounds and some crude hacks.
>
I'm not positive but from reading other forums it seems sshd is *not* affected.
http://security.stackexchange.com/questions/55076/what-should-a-website-operator-do-about-the-heartbleed-openssl-exploit
----snip---
It's worth pointing out that OpenSSH is not affected by the OpenSSL
bug. While OpenSSH does use openssl for some key-generation functions,
it does not use the TLS protocol (and in particular the TLS heartbeat
extension that heartbleed attacks). So there is no need to worry about
SSH being compromised, though it is still a good idea to update
openssl to 1.0.1g or 1.0.2-beta2 (but you don't have to worry about
replacing SSH keypairs).
----snip----
Can someone confirm the above to be true.
More information about the CentOS
mailing list