

Embargoed OpenSSL Vulnerabilities - feld
https://mta.openssl.org/pipermail/openssl-users/2015-March/000778.html

======
WestCoastJustin
Libs are always a pain to patch at the OS level, because you are not really
sure what links against the lib, you can do some manual work but most often a
reboot is way easier. Here is a pretty common pattern, that I use, if I cannot
reboot right away. Doesn't hurt to go through the motions, then you have a
pretty good idea of what needs to be done, stops the panic patch work ;)

On RHEL/CentOS, you can use needs-restarting, to tell you what processes need
restarting after a lib update.

    
    
      sudo yum update
      sudo yum install yum-utils.noarch
      sudo needs-restarting
    

On Debian/Ubuntu, you can use checkrestart, to tell you what processes need
restarting after a lib update.

    
    
      sudo apt-get update
      sudo apt-get upgrade
      sudo apt-get install debian-goodies
      sudo checkrestart -v
    

Helps to work through this manually, wrap your head around what needs to be
done, then you can push that into automation tools if you have a large enough
infrastructure. Here's a screencast about the pattern for anyone interested in
learning more.

[1] [https://sysadmincasts.com/episodes/44-patching-the-ghost-
gli...](https://sysadmincasts.com/episodes/44-patching-the-ghost-glibc-
gethostbyname-cve-2015-0235-bug)

------
chomp
In case anyone was wondering what "high" means -

[https://www.openssl.org/about/secpolicy.html](https://www.openssl.org/about/secpolicy.html)

 _high severity issues. This includes issues affecting common configurations
which are also likely to be exploitable. Examples include a server DoS, a
significant leak of server memory, and remote code execution. These issues
will be kept private and will trigger a new release of all supported versions.
We will attempt to keep the time these issues are private to a minimum; our
aim would be no longer than a month where this is something under our control,
and significantly quicker if there is a significant risk or we are aware the
issue is being exploited._

------
Stefan-H
Now is the time to ensure you know what your surface area is for OpenSSL. Do
you terminate SSL on your hosts? Do you have a loadbalancer that terminates
SSL for you? Do you distribute OpenSSL to clients? Do you have network devices
that have OpenSSL on them? These things are all important for you to know to
be able to handle the response to whatever drops on the 19th correctly. Good
luck!

------
feld
Hope to see a lot of OSes properly contacted and ready to release fixes on
3/19

