[Solved] OpenSSL bug CVE-2014-0160; Hidden Service upgrade

grunge · April 8, 2014, 9:05am

Dear Patrick.

Are Workstation Servers without installed OpenSSL secure? I am working with 8 Release. So what we must do (Change) to forward continuing secure working? I read this on Tor Blog about Hidden Services

Hidden services: Tor hidden services might leak their long-term hidden service identity keys to their guard relays. Like the last big OpenSSL bug, this shouldn't allow an attacker to identify the location of the hidden service, but an attacker who knows the hidden service identity key can impersonate the hidden service. Best practice would be to move to a new hidden-service address at your convenience.

Means this all Servers compromised or only with OpenSSL, so the Question, should i do a new Hidden Address?

Best Regards

grunge

grunge · April 8, 2014, 1:20pm

Dear Patrick!

Do the sudo apt-get update && sudo apt-get dist-upgrade!

Best Regards

grunge

Patrick · April 8, 2014, 3:48pm

Are Workstation Servers without installed OpenSSL secure?

Without OpenSSL or with updated OpenSSL it’s ok.

Do the sudo apt-get update && sudo apt-get dist-upgrade!

That’s what is suggested in Whonix News.
(Download Whonix ™ (FREE))
(https://www.whonix.org/wiki/File:Whonixcheck_created_by_adrelanos.png)

I am working with 8 Release. So what we must do (Change) to forward continuing secure working?

sudo apt-get update && sudo apt-get dist-upgrade and sudo service tor restart (or reboot)

Yes, you should create a new hidden service domain as well (after restarting Tor). I’ll add this to Whonix News. I also plan to blog about this.

Patrick · April 8, 2014, 4:10pm

Blog post:

korupt · April 9, 2014, 1:23pm

Am I retarded or something, I don’t get the updated OpenSSL when running “sudo apt-get update && sudo apt-get dist-upgade”. On my host I’ve still got 1.0.1e and the way I understand it it is 1.0.1g that is safe so my questions are:

Can I manually update it on whonix with: Upgrade to Latest Version of OpenSSL on Ubuntu to 1.0.1g
Why didn’t I get the updated OpenSSL after update/upgrade commands? Is it my source lists that are fucked or am I doing something else wrong?

Thanks in advance

Patrick · April 9, 2014, 1:44pm

Looks like your sources.list and/or your host operating system is messed up. I do not recommend manually installing it - then you will miss verification of the update - or it will be difficult to verify. That energy should be rather put into fixing the updater.

grunge · April 9, 2014, 1:59pm

Dear Patrick, dear krejziman!

Please read here.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743883

fixed 743883 + 1.0.1e-2+deb7u5 / seems fixed (This Version i have runnin after the update/upgrade)

Debian + Ubuntu patch the Version

So, when i am wrong, please tell me!

Best Regards!

grunge

grunge · April 9, 2014, 2:30pm

Present i get a security Update/Upgrade to Version 1.0.1e-2+deb7u6. So long and now the Big Question, should i do now another Time a new HiddenService URL or not?

https://www.debian.org/security/2014/dsa-2896

Best Regards!

grunge

Patrick · April 9, 2014, 2:39pm

Source:

zless /usr/share/doc/openssl/changelog.Debian.gz

openssl (1.0.1e-2+deb7u6) wheezy-security; urgency=high

Non-maintainer upload by the Security Team.

Enable checking for services that may need to be restarted

Update list of services to possibly restart

– Salvatore Bonaccorso carnil@debian.org Tue, 08 Apr 2014 10:44:53 +0200

openssl (1.0.1e-2+deb7u5) wheezy-security; urgency=high

Non-maintainer upload by the Security Team.

Add CVE-2014-0160.patch patch.
CVE-2014-0160: Fix TLS/DTLS hearbeat information disclosure.
A missing bounds check in the handling of the TLS heartbeat extension
can be used to reveal up to 64k of memory to a connected client or
server.

– Salvatore Bonaccorso carnil@debian.org Mon, 07 Apr 2014 22:26:55 +0200

Patrick · April 9, 2014, 2:41pm

No. Keys (hidden services) created with 1.0.1e-2+deb7u5 are okay.

grunge · April 9, 2014, 2:47pm

So when i understand yours right? I must create new Hidden Service Keys with 1.0.1e-2+deb7u6?

[quote=“Patrick, post:10, topic:220”][quote author=grunge link=topic=234.msg1552#msg1552 date=1397053810]
Present i get a security Update/Upgrade to Version 1.0.1e-2+deb7u6. So long and now the Big Question, should i do now another Time a new HiddenService URL or not?
[/quote]
No. Keys (hidden services) created with 1.0.1e-2+deb7u5 are okay.[/quote]

Best Regards!

grunge

Patrick · April 9, 2014, 2:56pm

Have you already created a new Hidden Service key using 1.0.1e-2+deb7u5?

If yes, then no more change is required. The 1.0.1e-2+deb7u6 update, simply put, “isn’t that important” (see changelog).
If no, then yes, create a new HIdden Service key.

grunge · April 9, 2014, 3:08pm

Hallo dear Patrick!

I create new HiddenServiceKey after the patch that i get from update/upgrade from 1.0.1e-2+deb7u5. So, God bless, now i am secure and my work will be forwarding. Thank you for your Answering! Well, let me say thank you for the great Help and very good Support you gave here!

Best Regards!

grunge