[FUG-BR] RES: RES: Fwd: [FreeBSD-Announce] HEADSUP! OpenSSL "Heartbleed" bug

Marcelo Gondim gondim em bsdinfo.com.br
Quarta Abril 9 05:08:57 BRT 2014 

Em 09/04/14 04:44, Helio Loureiro escreveu:
> E a gritaria foi por conta de sites openssl.
>
> Mas afeta ssh também, openvpn, etc.
Pois é. A libcrypt não faz parte do openssl ou estou enganado?

# ldd /usr/local/sbin/httpd
/usr/local/sbin/httpd:
     libm.so.5 => /lib/libm.so.5 (0x80087e000)
     libpcre.so.3 => /usr/local/lib/libpcre.so.3 (0x800aa4000)
     libaprutil-1.so.5 => /usr/local/lib/libaprutil-1.so.5 (0x800d0d000)
     libdb-4.8.so.0 => /usr/local/lib/libdb-4.8.so.0 (0x800f32000)
     libgdbm.so.4 => /usr/local/lib/libgdbm.so.4 (0x801287000)
     libintl.so.9 => /usr/local/lib/libintl.so.9 (0x801491000)
     libexpat.so.6 => /usr/local/lib/libexpat.so.6 (0x80169a000)
     libapr-1.so.5 => /usr/local/lib/libapr-1.so.5 (0x8018c0000)
     libcrypt.so.5 => /lib/libcrypt.so.5 (0x801af0000) <=========
     libthr.so.3 => /lib/libthr.so.3 (0x801d10000)
     libc.so.7 => /lib/libc.so.7 (0x801f35000)

# ldd /usr/sbin/sshd
/usr/sbin/sshd:
     libssh.so.5 => /usr/lib/private/libssh.so.5 (0x800862000)
     libutil.so.9 => /lib/libutil.so.9 (0x800aef000)
     libwrap.so.6 => /usr/lib/libwrap.so.6 (0x800d01000)
     libpam.so.5 => /usr/lib/libpam.so.5 (0x800f0a000)
     libbsm.so.3 => /usr/lib/libbsm.so.3 (0x801116000)
     libgssapi_krb5.so.10 => /usr/lib/libgssapi_krb5.so.10 (0x801330000)
     libgssapi.so.10 => /usr/lib/libgssapi.so.10 (0x80154e000)
     libkrb5.so.11 => /usr/lib/libkrb5.so.11 (0x801757000)
     libhx509.so.11 => /usr/lib/libhx509.so.11 (0x8019cf000)
     libasn1.so.11 => /usr/lib/libasn1.so.11 (0x801c19000)
     libcom_err.so.5 => /usr/lib/libcom_err.so.5 (0x801eb6000)
     libroken.so.11 => /usr/lib/libroken.so.11 (0x8020b8000)
     libwind.so.11 => /usr/lib/libwind.so.11 (0x8022ca000)
     libheimbase.so.11 => /usr/lib/libheimbase.so.11 (0x8024f2000)
     libheimipcc.so.11 => /usr/lib/private/libheimipcc.so.11 (0x8026f6000)
     libcrypt.so.5 => /lib/libcrypt.so.5 (0x8028f8000) <=================
     libcrypto.so.7 => /lib/libcrypto.so.7 (0x802b18000)
     libz.so.6 => /lib/libz.so.6 (0x802f0b000)
     libc.so.7 => /lib/libc.so.7 (0x803121000)
     libldns.so.5 => /usr/lib/private/libldns.so.5 (0x8034c6000)
     libmd.so.6 => /lib/libmd.so.6 (0x80371b000)
     libthr.so.3 => /lib/libthr.so.3 (0x80392b000)

> Abs,
> Helio Loureiro
> http://helio.loureiro.eng.br
> http://br.linkedin.com/in/helioloureiro
> http://twitter.com/helioloureiro
> http://gplus.to/helioloureiro
>
>
> 2014-04-09 9:44 GMT+02:00 Helio Loureiro <helio em loureiro.eng.br>:
>
>> Oi,
>>
>> Pra quem usa essa versão de openssl afetada (10.0), e tem um site com
>> grande audiência/risco de segurança, estão recomendando regovar as chaves e
>> gerar novas.
>>
>> Abs,
>> Helio Loureiro
>> http://helio.loureiro.eng.br
>> http://br.linkedin.com/in/helioloureiro
>> http://twitter.com/helioloureiro
>> http://gplus.to/helioloureiro
>>
>>
>> 2014-04-09 4:04 GMT+02:00 Wendell Candido de Almeida <
>> wendell em pontualcargas.com.br>:
>>
>> Link saiu quebrado.. agora correto...
>>>
>>> http://info.abril.com.br/noticias/seguranca/2014/04/falha-grave-no-openssl-d
>>> eixa-dados-sigilosos-vulneraveis-em-servidores-pela-web.shtml<http://info.abril.com.br/noticias/seguranca/2014/04/falha-grave-no-openssl-deixa-dados-sigilosos-vulneraveis-em-servidores-pela-web.shtml>
>>>
>>> Em uma linguagem mais didática...
>>>
>>>
>>> http://info.abril.com.br/noticias/seguranca/2014/04/falha-grave-no-openssl-d
>>> eixa-dados-sigilosos-vulneraveis-em-servidores-pela-web.shtml<http://info.abril.com.br/noticias/seguranca/2014/04/falha-grave-no-openssl-deixa-dados-sigilosos-vulneraveis-em-servidores-pela-web.shtml>
>>>
>>>
>>> Wendell
>>>
>>>
>>> -----Mensagem original-----
>>> De: freebsd-bounces em fug.com.br [mailto:freebsd-bounces em fug.com.br] Em
>>> nome
>>> de Marcelo Gondim Enviada em: terça-feira, 8 de abril de 2014 18:48
>>> Para: "Lista Brasileira de Discussão sobre FreeBSD (FUG-BR)"
>>> Assunto: [FUG-BR] Fwd: [FreeBSD-Announce] HEADSUP! OpenSSL "Heartbleed"
>>> bug
>>>
>>> A coisa parece que foi séria dessa vez.
>>>
>>>
>>> -------- Mensagem original --------
>>> Assunto:        [FreeBSD-Announce] HEADSUP! OpenSSL "Heartbleed" bug
>>> Data:   Tue, 8 Apr 2014 20:42:29 GMT
>>> De:     FreeBSD Security Officer <security-officer em freebsd.org>
>>> Responder a:    freebsd-security em freebsd.org
>>> Para:   FreeBSD Security Advisories <security-advisories em freebsd.org>
>>>
>>>
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA512
>>>
>>> Hi,
>>>
>>> This is a heads-up for the OpenSSL "Heartbleed" bug.
>>>
>>> FreeBSD port security/openssl have been patched on 2014-04-07 21:46:40 UTC
>>> (head, r350548) and 2014-04-07 21:48:07 UTC (branches/2014Q2, r350549).
>>>
>>> FreeBSD base system have been patched on 2014-04-08 18:27:32 UTC (head,
>>> r264265), 2014-04-08 18:27:39 UTC (stable/10, r264266), 2014-04-08
>>> 18:27:46 UTC (releng/10.0, r264267).  The update is available with
>>> freebsd-update.  All other supported FreeBSD branches are not affected by
>>> this issue.
>>>
>>> Users who use TLS client and/or server are strongly advised to apply
>>> updates
>>> immediately.
>>>
>>> Because of the nature of this issue, it's also recommended for system
>>> administrators to consider revoking all of server certificate, client
>>> certificate and keys that is used with these systems and invalidate active
>>> authentication credentials with a forced passphrase change.
>>>
>>> Formal security advisories would be announced later today.
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v2.0.22 (FreeBSD)
>>>
>>> iQIcBAEBCgAGBQJTRF6nAAoJEO1n7NZdz2rnA7AP/jG89g90O5ULI3aXZOeeYH6U
>>> /l3Cb5/vUgEQWiG5HO50lID3fJOktTWvwMBs+q7E7vaGJ4icL5kl816Zucj3cI8j
>>> H4JZZVYWbY1cBET2sNAxz5+XqGvERL8LUj8+hvVxo5L071plAbiucnvisx4K9Vyd
>>> IQryUOvRwxUUbmOXIVbfPLoY4VJFT+fDMxEXjeOh3vFWXftg5v4KaB9jYCRKBiAo
>>> BTEKlU1/bVjkJ4sU5ApavMOuyeqqOPTxLpqs6+9bsPUsBoiMR1LyxrWW9tWPb/x+
>>> LKoLwwkHwjHmrCx9ob/L5jNtOiLeFAsN/Rvox8eLLCb2VRe90dkMKazAJCGT/Shf
>>> DKRo4jlRCVqmHofc96+bWBGDGHvTT7xY3MZQYU9IEHIXSzAgxykXmyYSdIDm6bxk
>>> tsladfGEpKNzpwQXbuzLFXjl0nd87P1ZcPh+cDprP4+b68knfAXDIF/ca7mVD00B
>>> PTIUmXOSuvmYfhQyY4lurB3vjbWoJv06JkYJRe4luPyZiEulw7PNNPqR0BqR4vPX
>>> R9VhOhDhXn1AJcF8urTMIwZ3tGyhwWbOjqOgAdI9jW4gTTtXqwwesWhjX0ZghzRf
>>> Pqs9T7IrZ4pNvfHBETSc7JN/9kpspTEm/a2tUalEIKIErSxmaOAWUTethrjf3lyd
>>> kNC30mma046jR7E4/ccB
>>> =J3Tm
>>> -----END PGP SIGNATURE-----
>>> _______________________________________________
>>> freebsd-announce em freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-announce
>>> To unsubscribe, send any mail to "
>>> freebsd-announce-unsubscribe em freebsd.org"
>>>

Mais detalhes sobre a lista de discussão freebsd