[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 08/04/14 10:47, Rob Beard wrote: > >> Just checked OpenSSH dependencies in debian apt, and they do include >> libssl, so I guess OpenSSH is one of the affected apps. Damn. As far as I know bug affects applications where TLS is talked on the wire by OpenSSL. I believe OpenSSH just used crypto functions from openssl, and so is probably not vulnerable, but open to correction by anyone whose read the source carefully enough to say otherwise. I've been patching today, and some cases restarting services to avoid reboots. The command: grep deleted /proc/*/maps Will show running programs depending on deleted shared libraries. Which you'll want if you didn't reboot. Debian supposedly handles this more gracefully, but Ubuntu quite happily carried on running the old OpenSSL version. Using this I've seen Web servers (Apache/Nginx), XMPP servers (prosody), Mail servers (sendmail and Postfix), whoopsie (yes clients might be affected too), yum-updatesd, and OpenVPN as likely to be impacted. Easiest is patch and reboot. -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq