Security threads - Heartbleed & Ghost

Support section for FREESCO v0.4.x

Security threads - Heartbleed & Ghost

Postby mark » Wed Jan 28, 2015 7:20 am

Hi,

last year 2 major vulnerabilities popped up, Heartbleed and now recently Ghost are urging IT people to patch their systems.

Is there a danger of these vulnerabilities on FREESCO v0.4.x and if so is there a patch we can roll out?

Kind regards,

Mark
User avatar
mark
Newbie
 
Posts: 8
Joined: Fri May 17, 2002 8:33 pm

Re: Security threads - Heartbleed & Ghost

Postby cgscs » Wed Jan 28, 2015 4:42 pm

On freesco 0.4.4, the command "ldd -v" yield the following result:
ldd: version 1.9.9

Hence, if I righlty understand the advisory http://www.openwall.com/lists/oss-security/2015/01/27/9, freesco is not vulnerable concerning de Ghost security threat since the glibc version is used is not affected by the vulnerability:
- The first vulnerable version of the GNU C Library is glibc-2.2,
released on November 10, 2000.

- We identified a number of factors that mitigate the impact of this
bug. In particular, we discovered that it was fixed on May 21, 2013
(between the releases of glibc-2.17 and glibc-2.18). Unfortunately, it
was not recognized as a security threat; as a result, most stable and
long-term-support distributions were left exposed (and still are):
Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7,
Ubuntu 12.04, for example.


Concerning the heartblead flaw, it concerns openssl which is there only if you did manually install it. In that case, you should check the version you installed and eventually take do whatever is necessary to patch ou install a safer verson.

Good luck.
User avatar
cgscs
Newbie
 
Posts: 1
Joined: Sat Aug 18, 2007 10:28 pm

Re: Security threads - Heartbleed & Ghost

Postby Lightning » Fri Jan 30, 2015 4:07 am

The 04x system is not vulnerable, however if you have the "bash" or "utils" packages installed it is. I have been working on the bash package and installed the current patches, but it still seems to be vulnerable at least while using the old "env" binary included in the "utils" package. You can just delete or rename the /usr/bin/env binary from the system and it will pass the tests. But I haven't found (not looked hard for) the source code for the env binary yet.
If you are afraid that you might make a mistake. The chances are high that you will never learn anything.
User avatar
Lightning
FREESCO GOD !!
 
Posts: 12079
Joined: Wed Nov 14, 2001 6:50 am
Location: Oregon, USA

Re: Security threads - Heartbleed & Ghost

Postby mark » Wed Mar 18, 2015 2:50 pm

Ok Guys, thanks already for this effort.
User avatar
mark
Newbie
 
Posts: 8
Joined: Fri May 17, 2002 8:33 pm


Return to FREESCO Support for v0.4.x

Who is online

Users browsing this forum: No registered users and 4 guests

cron