[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [CONTRIBUTE] [DONATE]

[Solved] OpenSSL bug CVE-2014-0160; Hidden Service upgrade

Support
#1

Dear Patrick.

Are Workstation Servers without installed OpenSSL secure? I am working with 8 Release. So what we must do (Change) to forward continuing secure working? I read this on Tor Blog about Hidden Services

https://blog.torproject.org/blog/openssl-bug-cve-2014-0160

Hidden services: Tor hidden services might leak their long-term hidden service identity keys to their guard relays. Like the last big OpenSSL bug, this shouldn't allow an attacker to identify the location of the hidden service, but an attacker who knows the hidden service identity key can impersonate the hidden service. Best practice would be to move to a new hidden-service address at your convenience.

Means this all Servers compromised or only with OpenSSL, so the Question, should i do a new Hidden Address?

Best Regards

grunge

#2

Dear Patrick!

Do the sudo apt-get update && sudo apt-get dist-upgrade!

Best Regards

grunge

#3
Are Workstation Servers without installed OpenSSL secure?

Without OpenSSL or with updated OpenSSL it’s ok.

That’s what is suggested in Whonix News.
(https://www.whonix.org/wiki/Download#Whonix_Version_Check_and_Whonix_News)
(https://www.whonix.org/wiki/File:Whonixcheck_created_by_adrelanos.png)

I am working with 8 Release. So what we must do (Change) to forward continuing secure working?
sudo apt-get update && sudo apt-get dist-upgrade and sudo service tor restart (or reboot)

Yes, you should create a new hidden service domain as well (after restarting Tor). I’ll add this to Whonix News. I also plan to blog about this.

#4

Blog post:
https://www.whonix.org/blog/heartbleed-security-advisory

#5

Am I retarded or something, I don’t get the updated OpenSSL when running “sudo apt-get update && sudo apt-get dist-upgade”. On my host I’ve still got 1.0.1e and the way I understand it it is 1.0.1g that is safe so my questions are:

  1. Can I manually update it on whonix with: http://sandilands.info/sgordon/upgrade-latest-version-openssl-on-ubuntu to 1.0.1g
  2. Why didn’t I get the updated OpenSSL after update/upgrade commands? Is it my source lists that are fucked or am I doing something else wrong?

Thanks in advance

#6

Looks like your sources.list and/or your host operating system is messed up. I do not recommend manually installing it - then you will miss verification of the update - or it will be difficult to verify. That energy should be rather put into fixing the updater.

#7

Dear Patrick, dear krejziman!

Please read here.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743883

fixed 743883 + 1.0.1e-2+deb7u5 / seems fixed (This Version i have runnin after the update/upgrade)

Debian + Ubuntu patch the Version

So, when i am wrong, please tell me!

Best Regards!

grunge

#8

Present i get a security Update/Upgrade to Version 1.0.1e-2+deb7u6. So long and now the Big Question, should i do now another Time a new HiddenService URL or not?

https://www.debian.org/security/2014/dsa-2896

Best Regards!

grunge

#9

Source:

openssl (1.0.1e-2+deb7u6) wheezy-security; urgency=high
  • Non-maintainer upload by the Security Team.
  • Enable checking for services that may need to be restarted
  • Update list of services to possibly restart

– Salvatore Bonaccorso carnil@debian.org Tue, 08 Apr 2014 10:44:53 +0200

openssl (1.0.1e-2+deb7u5) wheezy-security; urgency=high

  • Non-maintainer upload by the Security Team.
  • Add CVE-2014-0160.patch patch.
    CVE-2014-0160: Fix TLS/DTLS hearbeat information disclosure.
    A missing bounds check in the handling of the TLS heartbeat extension
    can be used to reveal up to 64k of memory to a connected client or
    server.

– Salvatore Bonaccorso carnil@debian.org Mon, 07 Apr 2014 22:26:55 +0200

#10

No. Keys (hidden services) created with 1.0.1e-2+deb7u5 are okay.

#11

So when i understand yours right? I must create new Hidden Service Keys with 1.0.1e-2+deb7u6?

[quote=“Patrick, post:10, topic:220”][quote author=grunge link=topic=234.msg1552#msg1552 date=1397053810]
Present i get a security Update/Upgrade to Version 1.0.1e-2+deb7u6. So long and now the Big Question, should i do now another Time a new HiddenService URL or not?
[/quote]
No. Keys (hidden services) created with 1.0.1e-2+deb7u5 are okay.[/quote]

Best Regards!

grunge

#12

Have you already created a new Hidden Service key using 1.0.1e-2+deb7u5?

  • If yes, then no more change is required. The 1.0.1e-2+deb7u6 update, simply put, “isn’t that important” (see changelog).
  • If no, then yes, create a new HIdden Service key.
#13

Hallo dear Patrick!

I create new HiddenServiceKey after the patch that i get from update/upgrade from 1.0.1e-2+deb7u5. So, God bless, now i am secure and my work will be forwarding. Thank you for your Answering! Well, let me say thank you for the great Help and very good Support you gave here!

Best Regards!

grunge

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]