[OSGeo-Discuss] OSGeo-Live and HeartBleed vulnerability
Cameron Shorter
cameron.shorter at gmail.com
Mon Apr 14 13:27:43 PDT 2014
Further on heartbleed and osgeolive:
On 14/04/14 10:49 PM, Markus Neteler wrote:
>> A restart of all services is recommended after the update is applied.
> ... it is a*must*. Otherwise the old libs are used from RAM.
> I tested that.
>
Thanks Markus for the insight.
On 14/04/14 10:26 PM, Cameron Shorter wrote:
>
> TheHeartbleed Bug <http://heartbleed.com/>- described inthis Ubuntu
> Security Note <http://www.ubuntu.com/usn/usn-2165-1/>- is a serious
> security exposure, and the relevant software components shipped on the
> OSGeo-Live versions 6.0 to the present 7.9.
>
> As described in many widely available posts on the Internet, the
> HeartBleed vulnerability is exposed when network software uses the
> Transport Layer Security (TLS) feature built on top of a current
> version of the encryption library openssl. The fix to the
> vulnerability is to upgrade the openssl package via the Ubuntu/Debian
> apt mechanism.
>
> No software on the OSGeo-Live is configured to serve network
> connections using TLS "out of the box." However, some software (such
> as QGis) which provide WMS connectivity to other network services, may
> create a reverse-vulnerability when a secure connection is
> established. By patching your OSGeo-Live openssl library, you can
> close that reverse-exposure.
>
> Please note that the OSGeo-Live project does not recommend using
> OSGeo-Live "as-is" for production deployment on the Internet.
>
> All users of OSGeo Live from versions 6.0 to the present 7.9 release
> are strongly encouraged to apply software updates to any installed system.
>
>
> OSGeo-Live releases effected
>
> OSGeo-Live releases based on Ubuntu 12.04 are effected. This includes
> versions:
>
> * 6.0
> * 6.5
> * 7.0
> * 7.9
>
>
> How to Fix
>
> The OSGeo-Live project recommends that all installed versions of an
> affected OSGeo-Live release follow at a minimum, these steps:
>
> sudo apt-get update
> sudo apt-get install libssl1.0.0
>
> The default password is "user" (four characters).
>
> Using the graphical update manager will also work, click the 8 pointed
> start in the top toolbar. Make sure to check for updates and apply any
> updates to libssl available.
>
> A*restart*of all services is recommended after the update is applied.
> You can either do them by hand or reboot the whole system.
>
>
> Signed: The OSGeo-Live core development team.
>
>
> --
> Cameron Shorter,
> Software and Data Solutions Manager
> LISAsoft
> Suite 112, Jones Bay Wharf,
> 26 - 32 Pirrama Rd, Pyrmont NSW 2009
>
> P +61 2 9009 5000, Wwww.lisasoft.com, F +61 2 9009 5099
>
>
--
Cameron Shorter,
Software and Data Solutions Manager
LISAsoft
Suite 112, Jones Bay Wharf,
26 - 32 Pirrama Rd, Pyrmont NSW 2009
P +61 2 9009 5000, W www.lisasoft.com, F +61 2 9009 5099
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/discuss/attachments/20140415/86f678ed/attachment-0002.html>
More information about the Discuss
mailing list