[OSGeo-Discuss] OSGeo-Live and HeartBleed vulnerability

Cameron Shorter cameron.shorter at gmail.com
Mon Apr 14 05:26:28 PDT 2014 

TheHeartbleed Bug <http://heartbleed.com/>- described inthis Ubuntu 
Security Note <http://www.ubuntu.com/usn/usn-2165-1/>- is a serious 
security exposure, and the relevant software components shipped on the 
OSGeo-Live versions 6.0 to the present 7.9.

As described in many widely available posts on the Internet, the 
HeartBleed vulnerability is exposed when network software uses the 
Transport Layer Security (TLS) feature built on top of a current version 
of the encryption library openssl. The fix to the vulnerability is to 
upgrade the openssl package via the Ubuntu/Debian apt mechanism.

No software on the OSGeo-Live is configured to serve network connections 
using TLS "out of the box." However, some software (such as QGis) which 
provide WMS connectivity to other network services, may create a 
reverse-vulnerability when a secure connection is established. By 
patching your OSGeo-Live openssl library, you can close that 
reverse-exposure.

Please note that the OSGeo-Live project does not recommend using 
OSGeo-Live "as-is" for production deployment on the Internet.

All users of OSGeo Live from versions 6.0 to the present 7.9 release are 
strongly encouraged to apply software updates to any installed system.


    OSGeo-Live releases effected

OSGeo-Live releases based on Ubuntu 12.04 are effected. This includes 
versions:

  * 6.0
  * 6.5
  * 7.0
  * 7.9


    How to Fix

The OSGeo-Live project recommends that all installed versions of an 
affected OSGeo-Live release follow at a minimum, these steps:

sudo apt-get update
sudo apt-get install libssl1.0.0

The default password is "user" (four characters).

Using the graphical update manager will also work, click the 8 pointed 
start in the top toolbar. Make sure to check for updates and apply any 
updates to libssl available.

A*restart*of all services is recommended after the update is applied. 
You can either do them by hand or reboot the whole system.


Signed: The OSGeo-Live core development team.


-- 
Cameron Shorter,
Software and Data Solutions Manager
LISAsoft
Suite 112, Jones Bay Wharf,
26 - 32 Pirrama Rd, Pyrmont NSW 2009

P +61 2 9009 5000,  Wwww.lisasoft.com,  F +61 2 9009 5099


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/discuss/attachments/20140414/9906cf8e/attachment-0002.html>

More information about the Discuss mailing list