[prev in list] [next in list] [prev in thread] [next in thread]
List: osgeo-discuss
Subject: Re: [OSGeo-Discuss] OSGeo-Live and HeartBleed vulnerability
From: Cameron Shorter <cameron.shorter () gmail ! com>
Date: 2014-04-14 20:27:43
Message-ID: 534C44BF.808 () gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Further on heartbleed and osgeolive:
On 14/04/14 10:49 PM, Markus Neteler wrote:
>> A restart of all services is recommended after the update is applied.
> ... it is a*must*. Otherwise the old libs are used from RAM.
> I tested that.
>
Thanks Markus for the insight.
On 14/04/14 10:26 PM, Cameron Shorter wrote:
>
> TheHeartbleed Bug <http://heartbleed.com/>- described inthis Ubuntu
> Security Note <http://www.ubuntu.com/usn/usn-2165-1/>- is a serious
> security exposure, and the relevant software components shipped on the
> OSGeo-Live versions 6.0 to the present 7.9.
>
> As described in many widely available posts on the Internet, the
> HeartBleed vulnerability is exposed when network software uses the
> Transport Layer Security (TLS) feature built on top of a current
> version of the encryption library openssl. The fix to the
> vulnerability is to upgrade the openssl package via the Ubuntu/Debian
> apt mechanism.
>
> No software on the OSGeo-Live is configured to serve network
> connections using TLS "out of the box." However, some software (such
> as QGis) which provide WMS connectivity to other network services, may
> create a reverse-vulnerability when a secure connection is
> established. By patching your OSGeo-Live openssl library, you can
> close that reverse-exposure.
>
> Please note that the OSGeo-Live project does not recommend using
> OSGeo-Live "as-is" for production deployment on the Internet.
>
> All users of OSGeo Live from versions 6.0 to the present 7.9 release
> are strongly encouraged to apply software updates to any installed system.
>
>
> OSGeo-Live releases effected
>
> OSGeo-Live releases based on Ubuntu 12.04 are effected. This includes
> versions:
>
> * 6.0
> * 6.5
> * 7.0
> * 7.9
>
>
> How to Fix
>
> The OSGeo-Live project recommends that all installed versions of an
> affected OSGeo-Live release follow at a minimum, these steps:
>
> sudo apt-get update
> sudo apt-get install libssl1.0.0
>
> The default password is "user" (four characters).
>
> Using the graphical update manager will also work, click the 8 pointed
> start in the top toolbar. Make sure to check for updates and apply any
> updates to libssl available.
>
> A*restart*of all services is recommended after the update is applied.
> You can either do them by hand or reboot the whole system.
>
>
> Signed: The OSGeo-Live core development team.
>
>
> --
> Cameron Shorter,
> Software and Data Solutions Manager
> LISAsoft
> Suite 112, Jones Bay Wharf,
> 26 - 32 Pirrama Rd, Pyrmont NSW 2009
>
> P +61 2 9009 5000, Wwww.lisasoft.com, F +61 2 9009 5099
>
>
--
Cameron Shorter,
Software and Data Solutions Manager
LISAsoft
Suite 112, Jones Bay Wharf,
26 - 32 Pirrama Rd, Pyrmont NSW 2009
P +61 2 9009 5000, W www.lisasoft.com, F +61 2 9009 5099
[Attachment #5 (text/html)]
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Further on heartbleed and osgeolive:<br>
<br>
<div class="moz-cite-prefix">On 14/04/14 10:49 PM, Markus Neteler
wrote:<br>
</div>
<blockquote
cite="mid:CALFmHhtDOBoe=q3cykvZ8vXA7rQ_E27B+tyU4zp80fWWZGHceA@mail.gmail.com"
type="cite">
<blockquote type="cite" style="color: #000000;">
<pre wrap="">A restart of all services is recommended after the update is \
applied. </pre>
</blockquote>
<pre wrap="">... it is a <b class="moz-txt-star"><span \
class="moz-txt-tag">*</span>must<span class="moz-txt-tag">*</span></b>. Otherwise the \
old libs are used from RAM. I tested that.
</pre>
</blockquote>
<br>
Thanks Markus for the insight.<br>
<br>
<div class="moz-cite-prefix">On 14/04/14 10:26 PM, Cameron Shorter
wrote:<br>
</div>
<blockquote cite="mid:534BD3F4.1050306@gmail.com" type="cite">
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
<meta charset="utf-8">
<meta charset="utf-8">
<p style="margin: 0.4em 0px 0.5em; line-height:
19.049999237060547px; color: rgb(0, 0, 0); font-family:
sans-serif; font-size: 13px; font-style: normal; font-variant:
normal; font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255, 255,
255);">The<span class="Apple-converted-space"> </span><a
moz-do-not-send="true" href="http://heartbleed.com/"
class="external text" rel="nofollow" style="text-decoration:
none; color: rgb(51, 102, 187); background-image:
url(http://wiki.osgeo.org/skins/monobook/external.png);
padding-right: 13px; background-position: 100% 50%;
background-repeat: no-repeat no-repeat;">Heartbleed Bug</a><span
class="Apple-converted-space"> </span>- described in<span
class="Apple-converted-space"> </span><a
moz-do-not-send="true"
href="http://www.ubuntu.com/usn/usn-2165-1/" class="external
text" rel="nofollow" style="text-decoration: none; color:
rgb(51, 102, 187); background-image:
url(http://wiki.osgeo.org/skins/monobook/external.png);
padding-right: 13px; background-position: 100% 50%;
background-repeat: no-repeat no-repeat;">this Ubuntu Security
Note</a><span class="Apple-converted-space"> </span>- is a
serious security exposure, and the relevant software components
shipped on the OSGeo-Live versions 6.0 to the present 7.9.</p>
<p style="margin: 0.4em 0px 0.5em; line-height:
19.049999237060547px; color: rgb(0, 0, 0); font-family:
sans-serif; font-size: 13px; font-style: normal; font-variant:
normal; font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255, 255,
255);">As described in many widely available posts on the
Internet, the HeartBleed vulnerability is exposed when network
software uses the Transport Layer Security (TLS) feature built
on top of a current version of the encryption library openssl.
The fix to the vulnerability is to upgrade the openssl package
via the Ubuntu/Debian apt mechanism.</p>
<p style="margin: 0.4em 0px 0.5em; line-height:
19.049999237060547px; color: rgb(0, 0, 0); font-family:
sans-serif; font-size: 13px; font-style: normal; font-variant:
normal; font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255, 255,
255);">No software on the OSGeo-Live is configured to serve
network connections using TLS "out of the box." However, some
software (such as QGis) which provide WMS connectivity to other
network services, may create a reverse-vulnerability when a
secure connection is established. By patching your OSGeo-Live
openssl library, you can close that reverse-exposure.</p>
<p style="margin: 0.4em 0px 0.5em; line-height:
19.049999237060547px; color: rgb(0, 0, 0); font-family:
sans-serif; font-size: 13px; font-style: normal; font-variant:
normal; font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255, 255,
255);">Please note that the OSGeo-Live project does not
recommend using OSGeo-Live "as-is" for production deployment on
the Internet.</p>
<p style="margin: 0.4em 0px 0.5em; line-height:
19.049999237060547px; color: rgb(0, 0, 0); font-family:
sans-serif; font-size: 13px; font-style: normal; font-variant:
normal; font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255, 255,
255);">All users of OSGeo Live from versions 6.0 to the present
7.9 release are strongly encouraged to apply software updates to
any installed system.</p>
<p style="margin: 0.4em 0px 0.5em; line-height:
19.049999237060547px; color: rgb(0, 0, 0); font-family:
sans-serif; font-size: 13px; font-style: normal; font-variant:
normal; font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255, 255,
255);"><br>
</p>
<h2 style="color: rgb(0, 0, 0); background-image: none;
background-color: rgb(255, 255, 255); font-weight: normal;
margin: 0px 0px 0.6em; padding-top: 0.5em; padding-bottom:
0.17em; border-bottom-width: 1px; border-bottom-style: solid;
border-bottom-color: rgb(170, 170, 170); font-size: 19px;
font-family: sans-serif; font-style: normal; font-variant:
normal; letter-spacing: normal; line-height:
19.049999237060547px; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-position: initial initial; background-repeat: initial
initial;"><span class="mw-headline"
id="OSGeo-Live_releases_effected">OSGeo-Live releases effected</span></h2>
<p style="margin: 0.4em 0px 0.5em; line-height:
19.049999237060547px; color: rgb(0, 0, 0); font-family:
sans-serif; font-size: 13px; font-style: normal; font-variant:
normal; font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255, 255,
255);">OSGeo-Live releases based on Ubuntu 12.04 are effected.
This includes versions:</p>
<ul style="line-height: 19.049999237060547px; list-style-type:
square; margin: 0.3em 0px 0px 1.5em; padding: 0px;
list-style-image:
url(http://wiki.osgeo.org/skins/monobook/bullet.gif); color:
rgb(0, 0, 0); font-family: sans-serif; font-size: 13px;
font-style: normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);">
<li style="margin-bottom: 0.1em;">6.0</li>
<li style="margin-bottom: 0.1em;">6.5</li>
<li style="margin-bottom: 0.1em;">7.0</li>
<li style="margin-bottom: 0.1em;">7.9</li>
</ul>
<h2 style="color: rgb(0, 0, 0); background-image: none;
background-color: rgb(255, 255, 255); font-weight: normal;
margin: 0px 0px 0.6em; padding-top: 0.5em; padding-bottom:
0.17em; border-bottom-width: 1px; border-bottom-style: solid;
border-bottom-color: rgb(170, 170, 170); font-size: 19px;
font-family: sans-serif; font-style: normal; font-variant:
normal; letter-spacing: normal; line-height:
19.049999237060547px; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-position: initial initial; background-repeat: initial
initial;"><span class="mw-headline" id="How_to_Fix">How to Fix</span></h2>
<p style="margin: 0.4em 0px 0.5em; line-height:
19.049999237060547px; color: rgb(0, 0, 0); font-family:
sans-serif; font-size: 13px; font-style: normal; font-variant:
normal; font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255, 255,
255);">The OSGeo-Live project recommends that all installed
versions of an affected OSGeo-Live release follow at a minimum,
these steps:</p>
<pre style="padding: 1em; border: 1px dashed rgb(47, 111, 171); color: rgb(0, \
0, 0); background-color: rgb(249, 249, 249); line-height: 1.1em; font-style: normal; \
font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; \
text-align: start; text-indent: 0px; text-transform: none; widows: auto; \
word-spacing: 0px; -webkit-text-stroke-width: 0px;">sudo apt-get update sudo apt-get \
install libssl1.0.0 </pre>
<p style="margin: 0.4em 0px 0.5em; line-height:
19.049999237060547px; color: rgb(0, 0, 0); font-family:
sans-serif; font-size: 13px; font-style: normal; font-variant:
normal; font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255, 255,
255);">The default password is "user" (four characters).</p>
<p style="margin: 0.4em 0px 0.5em; line-height:
19.049999237060547px; color: rgb(0, 0, 0); font-family:
sans-serif; font-size: 13px; font-style: normal; font-variant:
normal; font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255, 255,
255);">Using the graphical update manager will also work, click
the 8 pointed start in the top toolbar. Make sure to check for
updates and apply any updates to libssl available.</p>
<p style="margin: 0.4em 0px 0.5em; line-height:
19.049999237060547px; color: rgb(0, 0, 0); font-family:
sans-serif; font-size: 13px; font-style: normal; font-variant:
normal; font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255, 255,
255);">A<span class="Apple-converted-space"> </span><b>restart</b><span
class="Apple-converted-space"> </span>of all services is
recommended after the update is applied. You can either do them
by hand or reboot the whole system.<br>
</p>
<p style="margin: 0.4em 0px 0.5em; line-height:
19.049999237060547px; color: rgb(0, 0, 0); font-family:
sans-serif; font-size: 13px; font-style: normal; font-variant:
normal; font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255, 255,
255);"><br>
Signed: The OSGeo-Live core development team.<br>
</p>
<p style="margin: 0.4em 0px 0.5em; line-height:
19.049999237060547px; color: rgb(0, 0, 0); font-family:
sans-serif; font-size: 13px; font-style: normal; font-variant:
normal; font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255, 255,
255);"><br>
</p>
<pre class="moz-signature" cols="72">--
Cameron Shorter,
Software and Data Solutions Manager
LISAsoft
Suite 112, Jones Bay Wharf,
26 - 32 Pirrama Rd, Pyrmont NSW 2009
P +61 2 9009 5000, W <a moz-do-not-send="true" class="moz-txt-link-abbreviated" \
href="http://www.lisasoft.com">www.lisasoft.com</a>, F +61 2 9009 5099</pre> <p \
style="margin: 0.4em 0px 0.5em; line-height: 19.049999237060547px; color: rgb(0, 0, \
0); font-family: sans-serif; font-size: 13px; font-style: normal; font-variant:
normal; font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255, 255,
255);"><br>
</p>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Cameron Shorter,
Software and Data Solutions Manager
LISAsoft
Suite 112, Jones Bay Wharf,
26 - 32 Pirrama Rd, Pyrmont NSW 2009
P +61 2 9009 5000, W <a class="moz-txt-link-abbreviated" \
href="http://www.lisasoft.com">www.lisasoft.com</a>, F +61 2 9009 5099</pre> \
</body> </html>
_______________________________________________
Discuss mailing list
Discuss@lists.osgeo.org
http://lists.osgeo.org/mailman/listinfo/discuss
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic