WeChat ID
aaronpk_tv
Tuesday, April 8, 2014
-
-
So wait, a malicious server can also #heartbleed clients too? -
Let me rephrase that: If you run an API that sends webhooks, your users can #heartbleed your API servers
-
So uh, how can I confirm my Ruby is actually using the recompiled OpenSSL (Ubuntu 12.04) #heartbleed
-
Erik Berlin
https://twitter.com/sferik
•
Apr 8
To check the version of OpenSSL Ruby was built with:
ruby -r openssl -e 'puts OpenSSL::OPENSSL_VERSION'
Anything below 1.0.1g is vulnerable.
@JamesChevalier @sferik Thanks but on Ubuntu `openssl version` always says "OpenSSL 1.0.1 14 Mar 2012" even for the correctly patched version. #heartbleed http://askubuntu.com/questions/444702/how-to-patch-cve-2014-0160-in-openssl -
How to test and confirm OpenSSL is updated for Nginx and Ruby on Ubuntu 12.04
A quick guide to updating OpenSSL on Ubuntu 12.04 running Nginx and Ruby and verifying that your system is safe from the Heartbleed bug.continue reading... -
@veganstraightedge Actually looks like Instagram is 500'ing for me...
-
@sferik Yep. I managed to track it down tho: http://aaronparecki.com/articles/2014/04/08/1/ #heartbleed
-
@matt@biddul.ph
https://twitter.com/mattb
•
Apr 9
@aaronpk you can also do this to get the specific openssl version: strings /lib/x86_64-linux-gnu/libssl.so.1.0.0 | grep "^OpenSSL "
@mattb Unfortunately that *also* just returns "OpenSSL 1.0.1 14 Mar 2012". Thanks Ubuntu. -
@matt@biddul.ph
https://twitter.com/mattb
•
Apr 9
@aaronpk on my box I got "OpenSSL 1.0.1e 11 Feb 2013". perhaps you really do have exactly version 1.0.1?
@mattb Are you running Ubuntu 12.04?
-
@matt@biddul.ph
https://twitter.com/mattb
•
Apr 9
@aaronpk I already upgraded that box to 13.10 in order to upgrade to the fixed version listed in http://www.ubuntu.com/usn/usn-2165-1/
@mattb Yeah it seems to be unique to 12.04 LTS. I need to use the LTS version, not willing to upgrade to 13 tho.
