[OSGeo-Discuss] OSGeo-Live and HeartBleed vulnerability

Cameron Shorter cameron.shorter at gmail.com
Mon Apr 14 13:27:43 PDT 2014


Further on heartbleed and osgeolive:

On 14/04/14 10:49 PM, Markus Neteler wrote:
>> A restart of all services is recommended after the update is applied.
> ... it is a*must*. Otherwise the old libs are used from RAM.
> I tested that.
>

Thanks Markus for the insight.

On 14/04/14 10:26 PM, Cameron Shorter wrote:
>
> TheHeartbleed Bug <http://heartbleed.com/>- described inthis Ubuntu 
> Security Note <http://www.ubuntu.com/usn/usn-2165-1/>- is a serious 
> security exposure, and the relevant software components shipped on the 
> OSGeo-Live versions 6.0 to the present 7.9.
>
> As described in many widely available posts on the Internet, the 
> HeartBleed vulnerability is exposed when network software uses the 
> Transport Layer Security (TLS) feature built on top of a current 
> version of the encryption library openssl. The fix to the 
> vulnerability is to upgrade the openssl package via the Ubuntu/Debian 
> apt mechanism.
>
> No software on the OSGeo-Live is configured to serve network 
> connections using TLS "out of the box." However, some software (such 
> as QGis) which provide WMS connectivity to other network services, may 
> create a reverse-vulnerability when a secure connection is 
> established. By patching your OSGeo-Live openssl library, you can 
> close that reverse-exposure.
>
> Please note that the OSGeo-Live project does not recommend using 
> OSGeo-Live "as-is" for production deployment on the Internet.
>
> All users of OSGeo Live from versions 6.0 to the present 7.9 release 
> are strongly encouraged to apply software updates to any installed system.
>
>
>     OSGeo-Live releases effected
>
> OSGeo-Live releases based on Ubuntu 12.04 are effected. This includes 
> versions:
>
>   * 6.0
>   * 6.5
>   * 7.0
>   * 7.9
>
>
>     How to Fix
>
> The OSGeo-Live project recommends that all installed versions of an 
> affected OSGeo-Live release follow at a minimum, these steps:
>
> sudo apt-get update
> sudo apt-get install libssl1.0.0
>
> The default password is "user" (four characters).
>
> Using the graphical update manager will also work, click the 8 pointed 
> start in the top toolbar. Make sure to check for updates and apply any 
> updates to libssl available.
>
> A*restart*of all services is recommended after the update is applied. 
> You can either do them by hand or reboot the whole system.
>
>
> Signed: The OSGeo-Live core development team.
>
>
> -- 
> Cameron Shorter,
> Software and Data Solutions Manager
> LISAsoft
> Suite 112, Jones Bay Wharf,
> 26 - 32 Pirrama Rd, Pyrmont NSW 2009
>
> P +61 2 9009 5000,  Wwww.lisasoft.com,  F +61 2 9009 5099
>
>

-- 
Cameron Shorter,
Software and Data Solutions Manager
LISAsoft
Suite 112, Jones Bay Wharf,
26 - 32 Pirrama Rd, Pyrmont NSW 2009

P +61 2 9009 5000,  W www.lisasoft.com,  F +61 2 9009 5099

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/discuss/attachments/20140415/86f678ed/attachment-0002.html>


More information about the Discuss mailing list