OpenSSL CVE-2014-0160

Discussion in 'General' started by yak983, Apr 8, 2014.

  1. yak983

    yak983 New Member

    How fix?
    with apache it's easy.. update openssl and restart it .. with litespeeed not work.. any idea?
  2. yak983

    yak983 New Member

  3. mistwang

    mistwang LiteSpeed Staff

    Please upgrade to 4.2.9 with

    /usr/local/lsws/admin/misc/lsup.sh -f -v 4.2.9
  4. ms_services

    ms_services New Member

    /lsws-4.2.9-std-x86_64-linux.tar.gz: unexpected end of file
    tar: This does not look like a tar archive
    tar: Error exit delayed from previous errors
    /update.sh: line 70: cd: /lsws-4.2.9: No such file or directory
  5. ms_services

    ms_services New Member

  6. mistwang

    mistwang LiteSpeed Staff

    there is no x86_64 package for standard release. maybe something is wrong with your installation if you do use LSWS enterprise.
    remove /usr/local/lsws/autoupdate/release then try again.
  7. ms_services

    ms_services New Member

    thank you, removing autoupdate/release and trying again fixed it, 4.2.9 updated and heart bleed test at flippio showed false for vulnerablility
  8. ExpansionCLOUD

    ExpansionCLOUD New Member

  9. JulesR

    JulesR New Member

    Thanks for providing the patched update, however the Heartbleed test is failing with a timeout. This is probably a Heartbleed issue, but I wanted to post here and check if it's a problem with the Litespeed release?

    EDIT: Just to confirm, it's definitely NOT timing out. Telnets to port 443 go through fine, I believe the "timeout" error just means the script can't interpret the response Litespeed is providing.
  10. Michael

    Michael Administrator Staff Member

    Howdy,

    In the Heartbleed FAQ it says, "if the error below is a timeout then my servers are under too heavy load, probably".

    Thus, I think the issue is that too many people are using this test.

    Michael
  11. JulesR

    JulesR New Member

    Michael,

    Thanks for your response, but that's not the case. I'm running the Heartbleed tool from a local machine that is used for testing like this, not from the Heartbleed website.
  12. Michael

    Michael Administrator Staff Member

    Hmmm... Alright, then we'll have to go with your hypothesis that the tool doesn't understand the response LSWS is giving. What tool are you using?

    We'll definitely keep our eyes out for more reports like this.

    Michael
  13. cornish

    cornish Member

    We did yum update installed updates but still said VULNERABLE

    Then we clicked we had litespeed installed so did the update to 4.2.9 now all we get on heartbleed test is timeout.

    And one of our servers says this below on heartbleed test

    Uh-oh, something went wrong:tls: oversized record received with length 20527
  14. gboudreau

    gboudreau Member

    Michael: I get the same timeout as JulesR after I upgraded to 4.2.9.
    I use the Heartbleed CLI tool available here: https://github.com/FiloSottile/Heartbleed
    Would like to confirm that this timeout is the expected response, for this test and a patch Litespeed.
    Testing www.litespeedtech.com also returns a timeout, so at least we know all 4.2.9 install have the same behaviour.
  15. joe

    joe Member

    Please check the lsws-4.2.9-std-i386-freebsd6.tar.gz download.The lshttpd.4.2.9 binary appears to be missing.

    kinda need it ;)
  16. cornish

    cornish Member

    The site you're using to check this may be producing a false positive, but I've checked and the OpenSSL version we are using is patched.

    You can check with this command below.

    rpm -q --changelog openssl-1.0.1e | grep -B 1 CVE-2014-0160
  17. gboudreau

    gboudreau Member

    That command will not indicate that the litespeed server installed on the server is OK.
    I'm running openssl-0.9.8e, which is not vulnerable, but my litespeed server was still vulnerable, thus the release of 4.2.9 required to fix this.
  18. cornish

    cornish Member

    Oh sorry my mistake but if they have updated to 4.2.9 they should be ok
  19. JulesR

    JulesR New Member

    I agree that it's likely the timeout response means we are not vulnerable, however it would be great if we could determine why the tool is incompatible with Litespeed (why is it providing a different response than expected) and get to a stage where the tool can be used to confirm this. For people with many servers who may wish to bulk check, this will provide a lot of peace of mind.
  20. Colin360

    Colin360 New Member

    12.04 lts, openssl updated, lsup also to 4.2.9, also confirm the timeout heartbleed response. Almost zero traffic on https at the testing time.

Share This Page