Hi all,
I inform you the exploit of Heartbleed on OpenMediavault is open.
My system is up to date and the version of OpenSSL used is 1.0.1e February 2013, this version is impacted by the exploit and allow to collect the private key of OpenMediaVault.
You can see more information here : http://resources.infosecinstitute.com/exploiting-heartbleed/
Can you update OpenSSL to 1.0.1g, this version fix the exploit.
Best Regards
You are right about the version, using: openssl version, outputs:
OpenSSL 1.0.1e 11 Feb 2013But that's not the whole story. If you use: openssl version -a, it outputs:
OpenSSL 1.0.1e 11 Feb 2013
built on: Sun Feb 28 23:52:01 UTC 2016So, yes we are using an older version, but one that has been patched against Heartbleed.
Though i was going to read a proof post demonstrating the bug. This was patched at debian stable at the time in 2014
http://metadata.ftp-master.deb….0.1e-2+deb7u20_changelog
CVE-2014-0160 is the reference
Can you update OpenSSL to 1.0.1g, this version fix the exploit.
OS packages come from debian repos, omv does not maintain openssl.
Though i was going to read a proof post demonstrating the bug. This was patched at debian stable at the time in 2014
<a href="http://metadata.ftp-master.debian.org/changelogs/main/o/openssl/openssl_1.0.1e-2+deb7u20_changelog" class="externalURL" rel="nofollow" target="_blank">metadata.ftp-master.debian.org….0.1e-2+deb7u20_changelog</a>
CVE-2014-0160 is the reference
BTW, the changelog is present on every OMV system with openssl installed at /usr/share/doc/openssl/changelog.Debian.gz, so personal verification is one zgrep away 
Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!