|
|
|
|
| Re: Heartbleed bug? [message #185527 is a reply to message #185526] |
Wed, 09 April 2014 13:56   |
Robert Heller
Messages: 60
Registered: December 2010
Karma: 0
|
Member |
|
|
At Wed, 09 Apr 2014 09:17:46 -0400 Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>
> On 4/9/2014 8:24 AM, Kevin Burton wrote:
>> Anyone know how this bug http://heartbleed.com/ affects PHP when the extension is enabled? Is there a patch for the extension?
>>
>
> You need to be asking the OpenSSL people what products their bug affects.
Since this is a shared library on a typical Linux system (eg LAMP server), it
will affect any program that links with OpenSSL's library(-ies). I know that
at least the CentOS user group is talking about it and I am sure RedHat is
also looking at it. (A large number of LAMP servers run CentOS.)
>
--
Robert Heller -- 978-544-6933 / heller(at)deepsoft(dot)com
Deepwoods Software -- http://www.deepsoft.com/
() ascii ribbon campaign -- against html e-mail
/\ www.asciiribbon.org -- against proprietary attachments
|
|
|
|
| Re: Heartbleed bug? [message #185528 is a reply to message #185527] |
Wed, 09 April 2014 15:21 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 4/9/2014 9:56 AM, Robert Heller wrote:
> At Wed, 09 Apr 2014 09:17:46 -0400 Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>
>>
>> On 4/9/2014 8:24 AM, Kevin Burton wrote:
>>> Anyone know how this bug http://heartbleed.com/ affects PHP when the extension is enabled? Is there a patch for the extension?
>>>
>>
>> You need to be asking the OpenSSL people what products their bug affects.
>
> Since this is a shared library on a typical Linux system (eg LAMP server), it
> will affect any program that links with OpenSSL's library(-ies). I know that
> at least the CentOS user group is talking about it and I am sure RedHat is
> also looking at it. (A large number of LAMP servers run CentOS.)
>
>>
>
That may or may not be. It depends on exactly what the problem is - or
exactly what it affects. From the description on the website, I can't
tell. Can you?
Obviously, though, those who know the code would know exactly what it
affects.
A bug in a program does not necessarily affect everything that touches
that program!
--
==================
Remove the "x" from my email address
Jerry Stuckle
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: Heartbleed bug? [message #185529 is a reply to message #185528] |
Wed, 09 April 2014 15:43 |
Christoph Michael Bec
Messages: 207
Registered: June 2013
Karma: 0
|
Senior Member |
|
|
Jerry Stuckle wrote:
> On 4/9/2014 9:56 AM, Robert Heller wrote:
>> At Wed, 09 Apr 2014 09:17:46 -0400 Jerry Stuckle
>> <jstucklex(at)attglobal(dot)net> wrote:
>>
>>>
>>> On 4/9/2014 8:24 AM, Kevin Burton wrote:
>>>> Anyone know how this bug http://heartbleed.com/ affects PHP when the
>>>> extension is enabled? Is there a patch for the extension?
>>>>
>>>
>>> You need to be asking the OpenSSL people what products their bug
>>> affects.
>>
>> Since this is a shared library on a typical Linux system (eg LAMP
>> server), it
>> will affect any program that links with OpenSSL's library(-ies). I
>> know that
>> at least the CentOS user group is talking about it and I am sure
>> RedHat is
>> also looking at it. (A large number of LAMP servers run CentOS.)
>
> That may or may not be. It depends on exactly what the problem is - or
> exactly what it affects. From the description on the website, I can't
> tell. Can you?
>
> Obviously, though, those who know the code would know exactly what it
> affects.
>
> A bug in a program does not necessarily affect everything that touches
> that program!
ACK. However, the Windows x86 builds of PHP 5.5.11 shipped OpenSSL
1.0.1f (6 Jan 2014) and have been updated to ship OpenSSL 1.0.1g (7 Apr
2014) just a few hours ago. (The x64 builds are currently being worked
on.) So obviously PHP's OpenSSL extension is affected by the
"heartbleed" bug (at least on Windows).
--
Christoph M. Becker
|
|
|
|
| Re: Heartbleed bug? [message #185530 is a reply to message #185528] |
Wed, 09 April 2014 15:56 |
Robert Heller
Messages: 60
Registered: December 2010
Karma: 0
|
Member |
|
|
At Wed, 09 Apr 2014 11:21:51 -0400 Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>
> On 4/9/2014 9:56 AM, Robert Heller wrote:
>> At Wed, 09 Apr 2014 09:17:46 -0400 Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>>
>>>
>>> On 4/9/2014 8:24 AM, Kevin Burton wrote:
>>>> Anyone know how this bug http://heartbleed.com/ affects PHP when the extension is enabled? Is there a patch for the extension?
>>>>
>>>
>>> You need to be asking the OpenSSL people what products their bug affects.
>>
>> Since this is a shared library on a typical Linux system (eg LAMP server), it
>> will affect any program that links with OpenSSL's library(-ies). I know that
>> at least the CentOS user group is talking about it and I am sure RedHat is
>> also looking at it. (A large number of LAMP servers run CentOS.)
>>
>>>
>>
>
> That may or may not be. It depends on exactly what the problem is - or
> exactly what it affects. From the description on the website, I can't
> tell. Can you?
>
> Obviously, though, those who know the code would know exactly what it
> affects.
>
> A bug in a program does not necessarily affect everything that touches
> that program!
According to the CentOS mailing list, a patched version of the openssl
libraries was released yesterday. Only one version of CentOS (and I guess
RHEL) were affected: 6.5. The patched version of the openssl fixes that (one
also needs to remake certificates (with new private keys!) and revoke the old
ones. CentOS 5 and CentOS 6.4 and earlier were NOT affected. In *my* case
(deepsoft.com) since I run CentOS 5, *my* server is not affected. It is my
understanding that a *large* number of LAMP webservers are running some
version of CentOS. I presume that the system admins of the affected systems
are on the CentOS mailing list and are on top of things.
>
>
--
Robert Heller -- 978-544-6933 / heller(at)deepsoft(dot)com
Deepwoods Software -- http://www.deepsoft.com/
() ascii ribbon campaign -- against html e-mail
/\ www.asciiribbon.org -- against proprietary attachments
|
|
|
|
| Re: Heartbleed bug? [message #185531 is a reply to message #185529] |
Wed, 09 April 2014 17:37 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 4/9/2014 11:43 AM, Christoph Michael Becker wrote:
> Jerry Stuckle wrote:
>
>> On 4/9/2014 9:56 AM, Robert Heller wrote:
>>> At Wed, 09 Apr 2014 09:17:46 -0400 Jerry Stuckle
>>> <jstucklex(at)attglobal(dot)net> wrote:
>>>
>>>>
>>>> On 4/9/2014 8:24 AM, Kevin Burton wrote:
>>>> > Anyone know how this bug http://heartbleed.com/ affects PHP when the
>>>> > extension is enabled? Is there a patch for the extension?
>>>> >
>>>>
>>>> You need to be asking the OpenSSL people what products their bug
>>>> affects.
>>>
>>> Since this is a shared library on a typical Linux system (eg LAMP
>>> server), it
>>> will affect any program that links with OpenSSL's library(-ies). I
>>> know that
>>> at least the CentOS user group is talking about it and I am sure
>>> RedHat is
>>> also looking at it. (A large number of LAMP servers run CentOS.)
>>
>> That may or may not be. It depends on exactly what the problem is - or
>> exactly what it affects. From the description on the website, I can't
>> tell. Can you?
>>
>> Obviously, though, those who know the code would know exactly what it
>> affects.
>>
>> A bug in a program does not necessarily affect everything that touches
>> that program!
>
> ACK. However, the Windows x86 builds of PHP 5.5.11 shipped OpenSSL
> 1.0.1f (6 Jan 2014) and have been updated to ship OpenSSL 1.0.1g (7 Apr
> 2014) just a few hours ago. (The x64 builds are currently being worked
> on.) So obviously PHP's OpenSSL extension is affected by the
> "heartbleed" bug (at least on Windows).
>
Does it? Or does it mean they just want to keep up with the latest
release? And if it does affect PHP, what functions does it affect, and
how does it affect them?
--
==================
Remove the "x" from my email address
Jerry Stuckle
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: Heartbleed bug? [message #185532 is a reply to message #185530] |
Wed, 09 April 2014 17:38 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 4/9/2014 11:56 AM, Robert Heller wrote:
> At Wed, 09 Apr 2014 11:21:51 -0400 Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>
>>
>> On 4/9/2014 9:56 AM, Robert Heller wrote:
>>> At Wed, 09 Apr 2014 09:17:46 -0400 Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>>>
>>>>
>>>> On 4/9/2014 8:24 AM, Kevin Burton wrote:
>>>> > Anyone know how this bug http://heartbleed.com/ affects PHP when the extension is enabled? Is there a patch for the extension?
>>>> >
>>>>
>>>> You need to be asking the OpenSSL people what products their bug affects.
>>>
>>> Since this is a shared library on a typical Linux system (eg LAMP server), it
>>> will affect any program that links with OpenSSL's library(-ies). I know that
>>> at least the CentOS user group is talking about it and I am sure RedHat is
>>> also looking at it. (A large number of LAMP servers run CentOS.)
>>>
>>>>
>>>
>>
>> That may or may not be. It depends on exactly what the problem is - or
>> exactly what it affects. From the description on the website, I can't
>> tell. Can you?
>>
>> Obviously, though, those who know the code would know exactly what it
>> affects.
>>
>> A bug in a program does not necessarily affect everything that touches
>> that program!
>
> According to the CentOS mailing list, a patched version of the openssl
> libraries was released yesterday. Only one version of CentOS (and I guess
> RHEL) were affected: 6.5. The patched version of the openssl fixes that (one
> also needs to remake certificates (with new private keys!) and revoke the old
> ones. CentOS 5 and CentOS 6.4 and earlier were NOT affected. In *my* case
> (deepsoft.com) since I run CentOS 5, *my* server is not affected. It is my
> understanding that a *large* number of LAMP webservers are running some
> version of CentOS. I presume that the system admins of the affected systems
> are on the CentOS mailing list and are on top of things.
>
>>
>>
>
That may be. But it still doesn't answer your original question as to
how (or even if) it affects PHP.
--
==================
Remove the "x" from my email address
Jerry Stuckle
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: Heartbleed bug? [message #185534 is a reply to message #185530] |
Wed, 09 April 2014 20:02 |
The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 09/04/14 16:56, Robert Heller wrote:
> At Wed, 09 Apr 2014 11:21:51 -0400 Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>
>>
>> On 4/9/2014 9:56 AM, Robert Heller wrote:
>>> At Wed, 09 Apr 2014 09:17:46 -0400 Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>>>
>>>>
>>>> On 4/9/2014 8:24 AM, Kevin Burton wrote:
>>>> > Anyone know how this bug http://heartbleed.com/ affects PHP when the extension is enabled? Is there a patch for the extension?
>>>> >
>>>>
>>>> You need to be asking the OpenSSL people what products their bug affects.
>>>
>>> Since this is a shared library on a typical Linux system (eg LAMP server), it
>>> will affect any program that links with OpenSSL's library(-ies). I know that
>>> at least the CentOS user group is talking about it and I am sure RedHat is
>>> also looking at it. (A large number of LAMP servers run CentOS.)
>>>
>>>>
>>>
>>
>> That may or may not be. It depends on exactly what the problem is - or
>> exactly what it affects. From the description on the website, I can't
>> tell. Can you?
>>
>> Obviously, though, those who know the code would know exactly what it
>> affects.
>>
>> A bug in a program does not necessarily affect everything that touches
>> that program!
>
> According to the CentOS mailing list, a patched version of the openssl
> libraries was released yesterday. Only one version of CentOS (and I guess
> RHEL) were affected: 6.5. The patched version of the openssl fixes that (one
> also needs to remake certificates (with new private keys!) and revoke the old
> ones. CentOS 5 and CentOS 6.4 and earlier were NOT affected. In *my* case
> (deepsoft.com) since I run CentOS 5, *my* server is not affected. It is my
> understanding that a *large* number of LAMP webservers are running some
> version of CentOS. I presume that the system admins of the affected systems
> are on the CentOS mailing list and are on top of things.
>
>>
>>
>
I've seen and installed SSL updates on the mint<-Ubuntu<-debian tree
yesterday
--
Ineptocracy
(in-ep-toc’-ra-cy) – a system of government where the least capable to
lead are elected by the least capable of producing, and where the
members of society least likely to sustain themselves or succeed, are
rewarded with goods and services paid for by the confiscated wealth of a
diminishing number of producers.
|
|
|
|
| Re: Heartbleed bug? [message #185535 is a reply to message #185532] |
Wed, 09 April 2014 22:11 |
M. Strobel
Messages: 386
Registered: December 2011
Karma: 0
|
Senior Member |
|
|
Am 09.04.2014 19:38, schrieb Jerry Stuckle:
> On 4/9/2014 11:56 AM, Robert Heller wrote:
>> At Wed, 09 Apr 2014 11:21:51 -0400 Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>>
>>>
>>> On 4/9/2014 9:56 AM, Robert Heller wrote:
>>>> At Wed, 09 Apr 2014 09:17:46 -0400 Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>>>>
>>>> >
>>>> > On 4/9/2014 8:24 AM, Kevin Burton wrote:
>>>> >> Anyone know how this bug http://heartbleed.com/ affects PHP when the extension
>>>> >> is enabled? Is there a patch for the extension?
>>>> >>
>>>> >
>>>> > You need to be asking the OpenSSL people what products their bug affects.
>>>>
>>>> Since this is a shared library on a typical Linux system (eg LAMP server), it
>>>> will affect any program that links with OpenSSL's library(-ies). I know that
>>>> at least the CentOS user group is talking about it and I am sure RedHat is
>>>> also looking at it. (A large number of LAMP servers run CentOS.)
>>>>
>>>> >
>>>>
>>>
>>> That may or may not be. It depends on exactly what the problem is - or
>>> exactly what it affects. From the description on the website, I can't
>>> tell. Can you?
>>>
>>> Obviously, though, those who know the code would know exactly what it
>>> affects.
>>>
>>> A bug in a program does not necessarily affect everything that touches
>>> that program!
>>
>> According to the CentOS mailing list, a patched version of the openssl
>> libraries was released yesterday. Only one version of CentOS (and I guess
>> RHEL) were affected: 6.5. The patched version of the openssl fixes that (one
>> also needs to remake certificates (with new private keys!) and revoke the old
>> ones. CentOS 5 and CentOS 6.4 and earlier were NOT affected. In *my* case
>> (deepsoft.com) since I run CentOS 5, *my* server is not affected. It is my
>> understanding that a *large* number of LAMP webservers are running some
>> version of CentOS. I presume that the system admins of the affected systems
>> are on the CentOS mailing list and are on top of things.
>>
>>>
>>>
>>
>
> That may be. But it still doesn't answer your original question as to how (or even
> if) it affects PHP.
>
In german we call this "bug" a "GAU", that means "Maximum Credible Accident". You'd
better *make sure* you are not affected. Starting point: you are.
There seem to be "just a few versions" of openssl affected, but for those who are it
is a GAU.
/Str.
|
|
|
|
| Re: Heartbleed bug? [message #185536 is a reply to message #185525] |
Wed, 09 April 2014 23:43 |
Adam Harvey
Messages: 25
Registered: September 2010
Karma: 0
|
Junior Member |
|
|
On Wed, 09 Apr 2014 05:24:02 -0700, Kevin Burton wrote:
> Anyone know how this bug http://heartbleed.com/ affects PHP when the
> extension is enabled? Is there a patch for the extension?
OpenSSL has released version 1.0.1g to fix the Heartbleed bug. Non-
Windows users generally don't need to update their PHP installation;
upgrading OpenSSL to a fixed version is sufficient. (All major Linux
distributions have now shipped OpenSSL updates.) The Windows PHP packages
distributed from windows.php.net _do_ include a local copy of OpenSSL,
and have been rebuilt today to include 1.0.1g: if you're using a package
from windows.php.net, you should upgrade immediately.
Once you've upgraded OpenSSL, restart your Web server, PHP-FPM if you're
using it, and any other PHP processes you have running.
Note that you may need to take additional action, depending on whether
you fit into one (or more) of the following categories:
1. You're running a HTTPS server.
If you're running a Web server that uses OpenSSL to provide SSL/TLS (eg
Apache, nginx, lighttpd), you'll need to upgrade OpenSSL, restart your
Web server, _and_ revoke your SSL certificates and have them reissued
with new private keys. (This last step is due to the nature of the bug:
it's possible for an attacker to have already captured your private key,
and even if you upgrade OpenSSL, they could then use that to decrypt your
secure traffic.)
You should probably suggest to your users that they change their
passwords as well, since it may have been possible for attackers to
extract those opportunistically from your PHP process's memory,
particularly if you're using something like mod_php where the SSL/TLS
negotiation happens in the same process as PHP is executed in.
2. You're connecting to secure servers from within PHP _and_ using client
certificates.
This is extremely rare (if you don't know whether you're using client
certificates, you're not), but if you have code that sets the
CURLOPT_SSLCERT option or the SSL local_cert context option, you'll want
to revoke and reissue your client certificate(s) with new private keys
once you've upgraded OpenSSL.
3. You wrote a secure socket server _in_ PHP. (My God, why?)
It's possible to write a secure socket server in PHP by using
stream_socket_server() with the ssl:// or tls:// protocol. If so, the fix
is similar to the first case: upgrade OpenSSL, restart all PHP processes,
and create new server certificates using new private keys.
Adam
|
|
|
|
|
|
|
|
| Re: Heartbleed bug? [message #185539 is a reply to message #185531] |
Thu, 10 April 2014 06:51 |
Arno Welzel
Messages: 317
Registered: October 2011
Karma: 0
|
Senior Member |
|
|
Jerry Stuckle, 2014-04-09 19:37:
> On 4/9/2014 11:43 AM, Christoph Michael Becker wrote:
[...]
>> ACK. However, the Windows x86 builds of PHP 5.5.11 shipped OpenSSL
>> 1.0.1f (6 Jan 2014) and have been updated to ship OpenSSL 1.0.1g (7 Apr
>> 2014) just a few hours ago. (The x64 builds are currently being worked
>> on.) So obviously PHP's OpenSSL extension is affected by the
>> "heartbleed" bug (at least on Windows).
>>
>
> Does it? Or does it mean they just want to keep up with the latest
> release? And if it does affect PHP, what functions does it affect, and
> how does it affect them?
I assume PHP does keep up with the latest release because they *are*
affected by the bug e.g. in stream_socket_enable_crypto().
--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
http://fahrradzukunft.de
|
|
|
|
|
|
| Re: Heartbleed bug? [message #185541 is a reply to message #185539] |
Thu, 10 April 2014 11:52 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 4/10/2014 2:51 AM, Arno Welzel wrote:
> Jerry Stuckle, 2014-04-09 19:37:
>
>> On 4/9/2014 11:43 AM, Christoph Michael Becker wrote:
> [...]
>>> ACK. However, the Windows x86 builds of PHP 5.5.11 shipped OpenSSL
>>> 1.0.1f (6 Jan 2014) and have been updated to ship OpenSSL 1.0.1g (7 Apr
>>> 2014) just a few hours ago. (The x64 builds are currently being worked
>>> on.) So obviously PHP's OpenSSL extension is affected by the
>>> "heartbleed" bug (at least on Windows).
>>>
>>
>> Does it? Or does it mean they just want to keep up with the latest
>> release? And if it does affect PHP, what functions does it affect, and
>> how does it affect them?
>
> I assume PHP does keep up with the latest release because they *are*
> affected by the bug e.g. in stream_socket_enable_crypto().
>
>
You can ASS-U-ME all you want. I go by the facts. And if I were
concerned about PHP being involved, I would ask the OpenSSL people.
--
==================
Remove the "x" from my email address
Jerry Stuckle
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: Heartbleed bug? [message #185542 is a reply to message #185535] |
Thu, 10 April 2014 11:53 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 4/9/2014 6:11 PM, M. Strobel wrote:
> Am 09.04.2014 19:38, schrieb Jerry Stuckle:
>> On 4/9/2014 11:56 AM, Robert Heller wrote:
>>> At Wed, 09 Apr 2014 11:21:51 -0400 Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>>>
>>>>
>>>> On 4/9/2014 9:56 AM, Robert Heller wrote:
>>>> > At Wed, 09 Apr 2014 09:17:46 -0400 Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>>>> >
>>>> >>
>>>> >> On 4/9/2014 8:24 AM, Kevin Burton wrote:
>>>> >>> Anyone know how this bug http://heartbleed.com/ affects PHP when the extension
>>>> >>> is enabled? Is there a patch for the extension?
>>>> >>>
>>>> >>
>>>> >> You need to be asking the OpenSSL people what products their bug affects.
>>>> >
>>>> > Since this is a shared library on a typical Linux system (eg LAMP server), it
>>>> > will affect any program that links with OpenSSL's library(-ies). I know that
>>>> > at least the CentOS user group is talking about it and I am sure RedHat is
>>>> > also looking at it. (A large number of LAMP servers run CentOS.)
>>>> >
>>>> >>
>>>> >
>>>>
>>>> That may or may not be. It depends on exactly what the problem is - or
>>>> exactly what it affects. From the description on the website, I can't
>>>> tell. Can you?
>>>>
>>>> Obviously, though, those who know the code would know exactly what it
>>>> affects.
>>>>
>>>> A bug in a program does not necessarily affect everything that touches
>>>> that program!
>>>
>>> According to the CentOS mailing list, a patched version of the openssl
>>> libraries was released yesterday. Only one version of CentOS (and I guess
>>> RHEL) were affected: 6.5. The patched version of the openssl fixes that (one
>>> also needs to remake certificates (with new private keys!) and revoke the old
>>> ones. CentOS 5 and CentOS 6.4 and earlier were NOT affected. In *my* case
>>> (deepsoft.com) since I run CentOS 5, *my* server is not affected. It is my
>>> understanding that a *large* number of LAMP webservers are running some
>>> version of CentOS. I presume that the system admins of the affected systems
>>> are on the CentOS mailing list and are on top of things.
>>>
>>>>
>>>>
>>>
>>
>> That may be. But it still doesn't answer your original question as to how (or even
>> if) it affects PHP.
>>
>
> In german we call this "bug" a "GAU", that means "Maximum Credible Accident". You'd
> better *make sure* you are not affected. Starting point: you are.
>
> There seem to be "just a few versions" of openssl affected, but for those who are it
> is a GAU.
>
> /Str.
>
How do you know I am affected? Do you know my code? What PHP functions
it affects?
--
==================
Remove the "x" from my email address
Jerry Stuckle
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: Heartbleed bug? [message #185543 is a reply to message #185541] |
Thu, 10 April 2014 12:03 |
Christoph Michael Bec
Messages: 207
Registered: June 2013
Karma: 0
|
Senior Member |
|
|
Jerry Stuckle wrote:
> On 4/10/2014 2:51 AM, Arno Welzel wrote:
>> Jerry Stuckle, 2014-04-09 19:37:
>>
>>> On 4/9/2014 11:43 AM, Christoph Michael Becker wrote:
>> [...]
>>>> ACK. However, the Windows x86 builds of PHP 5.5.11 shipped OpenSSL
>>>> 1.0.1f (6 Jan 2014) and have been updated to ship OpenSSL 1.0.1g (7 Apr
>>>> 2014) just a few hours ago. (The x64 builds are currently being worked
>>>> on.) So obviously PHP's OpenSSL extension is affected by the
>>>> "heartbleed" bug (at least on Windows).
>>>
>>> Does it? Or does it mean they just want to keep up with the latest
>>> release? And if it does affect PHP, what functions does it affect, and
>>> how does it affect them?
>>
>> I assume PHP does keep up with the latest release because they *are*
>> affected by the bug e.g. in stream_socket_enable_crypto().
>
> You can ASS-U-ME all you want. I go by the facts. And if I were
> concerned about PHP being involved, I would ask the OpenSSL people.
I would rather ask the PHP people, because they know best in which way
PHP uses OpenSSL. Fortunately, that is not necessary anymore:
<news:li4lve$l1h$1(at)dont-email(dot)me>
--
Christoph M. Becker
|
|
|
|
| Re: Heartbleed bug? [message #185544 is a reply to message #185525] |
Thu, 10 April 2014 15:42 |
Denis McMahon
Messages: 634
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On Wed, 09 Apr 2014 05:24:02 -0700, Kevin Burton wrote:
> Anyone know how this bug http://heartbleed.com/ affects PHP when the
> extension is enabled? Is there a patch for the extension?
My understanding of heartbleed is that it potentially exposes data
transferred over ssl encrypted links. As php generally[1] doesn't
implement ssl communication itself it probably doesn't affect core php a
great deal, but if you wrote php code using ssl functions eg http://
www.php.net/manual/en/ref.openssl.php you might have some exposure to
worry about.
[1] Not sure what curl does for ssl, but on a compromised platform, I
imagine it's possible that data passed over https using curl or similar
methods might also have been compromised.
--
Denis McMahon, denismfmcmahon(at)gmail(dot)com
|
|
|
|
| Re: Heartbleed bug? [message #185545 is a reply to message #185539] |
Thu, 10 April 2014 15:47 |
Denis McMahon
Messages: 634
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On Thu, 10 Apr 2014 08:51:23 +0200, Arno Welzel wrote:
> I assume PHP does keep up with the latest release because they *are*
> affected by the bug e.g. in stream_socket_enable_crypto().
Only like to be an issue if you've been writing your own ssl transport in
php, which would beg the question why on earth did you do that?
--
Denis McMahon, denismfmcmahon(at)gmail(dot)com
|
|
|
|
| Re: Heartbleed bug? [message #185546 is a reply to message #185540] |
Thu, 10 April 2014 15:50 |
Denis McMahon
Messages: 634
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On Thu, 10 Apr 2014 08:57:54 +0200, Arno Welzel wrote:
> To be precise: If the installed PHP version is linked against OpenSSL
> then it should be replaced with a patched version of course.
Is simply being linked against the buggy openssl enough to be
exploitable? As I understand it the openssl code needs to be invoked (eg
https) for the bug to actually expose data.
--
Denis McMahon, denismfmcmahon(at)gmail(dot)com
|
|
|
|
| Re: Heartbleed bug? [message #185547 is a reply to message #185543] |
Thu, 10 April 2014 16:36 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 4/10/2014 8:03 AM, Christoph Michael Becker wrote:
> Jerry Stuckle wrote:
>
>> On 4/10/2014 2:51 AM, Arno Welzel wrote:
>>> Jerry Stuckle, 2014-04-09 19:37:
>>>
>>>> On 4/9/2014 11:43 AM, Christoph Michael Becker wrote:
>>> [...]
>>>> > ACK. However, the Windows x86 builds of PHP 5.5.11 shipped OpenSSL
>>>> > 1.0.1f (6 Jan 2014) and have been updated to ship OpenSSL 1.0.1g (7 Apr
>>>> > 2014) just a few hours ago. (The x64 builds are currently being worked
>>>> > on.) So obviously PHP's OpenSSL extension is affected by the
>>>> > "heartbleed" bug (at least on Windows).
>>>>
>>>> Does it? Or does it mean they just want to keep up with the latest
>>>> release? And if it does affect PHP, what functions does it affect, and
>>>> how does it affect them?
>>>
>>> I assume PHP does keep up with the latest release because they *are*
>>> affected by the bug e.g. in stream_socket_enable_crypto().
>>
>> You can ASS-U-ME all you want. I go by the facts. And if I were
>> concerned about PHP being involved, I would ask the OpenSSL people.
>
> I would rather as k the PHP people, because they know best in which way
> PHP uses OpenSSL. Fortunately, that is not necessary anymore:
>
> <news:li4lve$l1h$1(at)dont-email(dot)me>
>
You can ask PHP people all you want. But if you want a GOOD answer, ask
the people who know the code surrounding the bug.
PHP people don't typically know the insides of OpenSSL, and how it
works. Therefore they don't know what PHP functions may be involved.
And those who think they do know are only showing how little they really
know. But then some people think because they can code PHP they are
experts in EVERYTHING.
--
==================
Remove the "x" from my email address
Jerry Stuckle
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: Heartbleed bug? [message #185549 is a reply to message #185546] |
Thu, 10 April 2014 18:37 |
The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 10/04/14 16:50, Denis McMahon wrote:
> On Thu, 10 Apr 2014 08:57:54 +0200, Arno Welzel wrote:
>
>> To be precise: If the installed PHP version is linked against OpenSSL
>> then it should be replaced with a patched version of course.
>
> Is simply being linked against the buggy openssl enough to be
> exploitable? As I understand it the openssl code needs to be invoked (eg
> https) for the bug to actually expose data.
>
well yes. A library you never use cant be exploited for flaws in it.
What you need is that you are providing an SSL service via a buggy SSL
library: then certain types of signal sent to it will get 'interesting'
responses in reply..
--
Ineptocracy
(in-ep-toc’-ra-cy) – a system of government where the least capable to
lead are elected by the least capable of producing, and where the
members of society least likely to sustain themselves or succeed, are
rewarded with goods and services paid for by the confiscated wealth of a
diminishing number of producers.
|
|
|
|
| Re: Heartbleed bug? [message #185550 is a reply to message #185541] |
Thu, 10 April 2014 20:54 |
Arno Welzel
Messages: 317
Registered: October 2011
Karma: 0
|
Senior Member |
|
|
Jerry Stuckle, 2014-04-10 13:52:
> On 4/10/2014 2:51 AM, Arno Welzel wrote:
>> Jerry Stuckle, 2014-04-09 19:37:
>>
>>> On 4/9/2014 11:43 AM, Christoph Michael Becker wrote:
>> [...]
>>>> ACK. However, the Windows x86 builds of PHP 5.5.11 shipped OpenSSL
>>>> 1.0.1f (6 Jan 2014) and have been updated to ship OpenSSL 1.0.1g (7 Apr
>>>> 2014) just a few hours ago. (The x64 builds are currently being worked
>>>> on.) So obviously PHP's OpenSSL extension is affected by the
>>>> "heartbleed" bug (at least on Windows).
>>>>
>>>
>>> Does it? Or does it mean they just want to keep up with the latest
>>> release? And if it does affect PHP, what functions does it affect, and
>>> how does it affect them?
>>
>> I assume PHP does keep up with the latest release because they *are*
>> affected by the bug e.g. in stream_socket_enable_crypto().
>>
>>
>
> You can ASS-U-ME all you want. I go by the facts. And if I were
Oh you are so funny...
> concerned about PHP being involved, I would ask the OpenSSL people.
The fact is, that stream_socket_enable_crypto() allows to build a server
which listens on a socket to accept incoming SSL/TLS connections and
uses OpenSSL for this.
OpenSSL up to 1.0.1f has a now well known vulnerability for that use case.
Ask who ever you want. If you got the answers that prove all this wrong,
do the rest of us a favour and tell us.
--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
http://fahrradzukunft.de
|
|
|
|
| Re: Heartbleed bug? [message #185551 is a reply to message #185546] |
Thu, 10 April 2014 20:56 |
Arno Welzel
Messages: 317
Registered: October 2011
Karma: 0
|
Senior Member |
|
|
Denis McMahon, 2014-04-10 17:50:
> On Thu, 10 Apr 2014 08:57:54 +0200, Arno Welzel wrote:
>
>> To be precise: If the installed PHP version is linked against OpenSSL
>> then it should be replaced with a patched version of course.
>
> Is simply being linked against the buggy openssl enough to be
> exploitable? As I understand it the openssl code needs to be invoked (eg
No. The bug is only exploitable if you run a SSL/TLS server - which is
possible using PHP.
> https) for the bug to actually expose data.
I don't know what exactly you do with your code. But the opposite -
"it's just PHP, nothing to worry about any library bugs" - is also not
the right way to deal with security problems.
--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
http://fahrradzukunft.de
|
|
|
|
| Re: Heartbleed bug? [message #185552 is a reply to message #185551] |
Thu, 10 April 2014 21:32 |
M. Strobel
Messages: 386
Registered: December 2011
Karma: 0
|
Senior Member |
|
|
Am 10.04.2014 22:56, schrieb Arno Welzel:
> Denis McMahon, 2014-04-10 17:50:
>
>> On Thu, 10 Apr 2014 08:57:54 +0200, Arno Welzel wrote:
>>
>>> To be precise: If the installed PHP version is linked against OpenSSL
>>> then it should be replaced with a patched version of course.
>>
>> Is simply being linked against the buggy openssl enough to be
>> exploitable? As I understand it the openssl code needs to be invoked (eg
>
> No. The bug is only exploitable if you run a SSL/TLS server - which is
> possible using PHP.
>
As I read on stackoverflow, the client is vulnerable as well. So if you start a ssl
secured connection, you can be attacked by the partner.
Evidently this is "less dangerous" than the case of a server offering SSL secured
services.
/Str.
|
|
|
|
| Re: Heartbleed bug? [message #185553 is a reply to message #185550] |
Thu, 10 April 2014 22:45 |
Denis McMahon
Messages: 634
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On Thu, 10 Apr 2014 22:54:01 +0200, Arno Welzel wrote:
> The fact is, that stream_socket_enable_crypto() allows to build a server
> which listens on a socket to accept incoming SSL/TLS connections and
> uses OpenSSL for this.
>
> OpenSSL up to 1.0.1f has a now well known vulnerability for that use
> case.
>
> Ask who ever you want. If you got the answers that prove all this wrong,
> do the rest of us a favour and tell us.
Yes, but for that issue to affect your (or my, or Jerry's) code, we'd
have had to write our own SSL/TLS enabled server in PHP.
And for that issue to affect anyone elses code, they'd have had to write
their own SSL/TLS enabled server in PHP.
So this comes back to: The "heartbleed" exploit will only affect your php
code if your php code is linked against the exploitable OpenSSL libraries
*AND* your code calls functions in those libraries that expose the
exploits.
And to know that you need to know which functions of the libraries are
exploitable, and whether your code calls those functions. It's impossible
for anyone, without reviewing another persons code, to tell whether that
other person's code is exposed to this exploit or not, and that is the
point that I believe Jerry is trying to make, and that you are so
abstrusely refusing to recognise.
--
Denis McMahon, denismfmcmahon(at)gmail(dot)com
|
|
|
|
| Re: Heartbleed bug? [message #185554 is a reply to message #185543] |
Thu, 10 April 2014 23:01 |
Denis McMahon
Messages: 634
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On Thu, 10 Apr 2014 14:03:25 +0200, Christoph Michael Becker wrote:
> Jerry Stuckle wrote:
>> You can ASS-U-ME all you want. I go by the facts. And if I were
>> concerned about PHP being involved, I would ask the OpenSSL people.
> I would rather ask the PHP people, because they know best in which way
> PHP uses OpenSSL. Fortunately, that is not necessary anymore:
As far as I can tell, PHP does not "use" OpenSSL directly itself, unless
a person writing php scripts calls functions that do use OpenSSL, and it
only seems to be when those functions are used that the vulnerability can
be exploited.
For example, the following php script as a web page has no exposure to
the OpenSSL vulnerability:
<?php
echo "<!doctype html><html lang='en'><head><title>Test</title></
head><body><h1>Hello World</h1></body></html>"
?>
However, if you have perhaps written a server process in php that opens
sockets for encrypted communication, or perhaps if you have been opening
https sessions as a client using curl, then you may have exposed the
vulnerability in such a way that it could be exploited (and I'm not
actually sure about the curl thing).
Hence, for any specific case, it is only possible to answer the question
"is this PHP installation exposed to heartbleed" by knowing whether the
PHP code is exposing the exploitable vulnerability. To know that, you
need to know enough about the SSL side of the vulnerability to know if
your PHP calls are calling the affected SSL features, and enough about
the individual PHP installation you are discussing to know what SSL
features it calls.
So basically no-one here can judge the vulnerability of the php code on
any individual server to heartbleed unless they have a pretty intimate
knowledge of the php code running on that server and know enough about
the php / ssl interfaces and heartbleed to identify any php calls that
may expose the vulnerability.
--
Denis McMahon, denismfmcmahon(at)gmail(dot)com
|
|
|
|
| Re: Heartbleed bug? [message #185555 is a reply to message #185551] |
Thu, 10 April 2014 23:14 |
Denis McMahon
Messages: 634
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On Thu, 10 Apr 2014 22:56:34 +0200, Arno Welzel wrote:
> Denis McMahon, 2014-04-10 17:50:
>
>> On Thu, 10 Apr 2014 08:57:54 +0200, Arno Welzel wrote:
>>
>>> To be precise: If the installed PHP version is linked against OpenSSL
>>> then it should be replaced with a patched version of course.
>>
>> Is simply being linked against the buggy openssl enough to be
>> exploitable? As I understand it the openssl code needs to be invoked
>> (eg
>
> No. The bug is only exploitable if you run a SSL/TLS server - which is
> possible using PHP.
>
>> https) for the bug to actually expose data.
Sorry, but you seem to be saying "No" and then agreeing with me. Perhaps
it's the way you have quote-replied, and I'm reading your "No" as
applying to a different part of the quoted text to that which you
intended it to refer?
Are you saying "No" to the question:
>> Is simply being linked against the buggy openssl enough to be
>> exploitable?
Or the statement:
>> As I understand it the openssl code needs to be invoked
>> (eg https) for the bug to actually expose data.
Because I can't tell from the way you quoted me which of these you're
saying no to, and depending which applies, you're either agreeing with my
position or disputing it.
> "it's just PHP, nothing to worry about any library bugs" - is also not
> the right way to deal with security problems.
That's not what I'm saying. What I am saying is that as I understand it,
in this specific case, you only have a php issue if your php code is
making ssl / tsl connections using the vulnerable OpenSSL library, and
that is something that the admin and / or coders responsible for a system
needs to determine for themselves given their knowledge of what their
system does.
I don't know enough about your code, Jerry's code, or anyone elses code
(except maybe richard's[1], we all know too much about richard's code) to
determine whether that person's php code is vulnerable to this exploit.
[1] I doubt richard's code is vulnerable to this exploit, the universe's
life expectancy is insufficient for him to develop the coding competency
required to implement a server process in php.
--
Denis McMahon, denismfmcmahon(at)gmail(dot)com
|
|
|
|
| Re: Heartbleed bug? [message #185556 is a reply to message #185554] |
Thu, 10 April 2014 23:47 |
The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 11/04/14 00:01, Denis McMahon wrote:
> On Thu, 10 Apr 2014 14:03:25 +0200, Christoph Michael Becker wrote:
>
>> Jerry Stuckle wrote:
>
>>> You can ASS-U-ME all you want. I go by the facts. And if I were
>>> concerned about PHP being involved, I would ask the OpenSSL people.
>
>> I would rather ask the PHP people, because they know best in which way
>> PHP uses OpenSSL. Fortunately, that is not necessary anymore:
>
> As far as I can tell, PHP does not "use" OpenSSL directly itself, unless
> a person writing php scripts calls functions that do use OpenSSL, and it
> only seems to be when those functions are used that the vulnerability can
> be exploited.
>
> For example, the following php script as a web page has no exposure to
> the OpenSSL vulnerability:
>
> <?php
> echo "<!doctype html><html lang='en'><head><title>Test</title></
> head><body><h1>Hello World</h1></body></html>"
> ?>
ER, it COULD if it was running on a secure server!!!
>
--
Ineptocracy
(in-ep-toc’-ra-cy) – a system of government where the least capable to
lead are elected by the least capable of producing, and where the
members of society least likely to sustain themselves or succeed, are
rewarded with goods and services paid for by the confiscated wealth of a
diminishing number of producers.
|
|
|
|
| Re: Heartbleed bug? [message #185557 is a reply to message #185556] |
Fri, 11 April 2014 00:38 |
Eli the Bearded
Messages: 22
Registered: April 2011
Karma: 0
|
Junior Member |
|
|
In comp.lang.php, The Natural Philosopher <tnp(at)invalid(dot)invalid> wrote:
> On 11/04/14 00:01, Denis McMahon wrote:
>> As far as I can tell, PHP does not "use" OpenSSL directly itself, unless
>> a person writing php scripts calls functions that do use OpenSSL, and it
>> only seems to be when those functions are used that the vulnerability can
>> be exploited.
You can, however, use OpenSSL in PHP without calling any functions that
have "ssl" in the name.
>> For example, the following php script as a web page has no exposure to
>> the OpenSSL vulnerability:
>>
>> <?php
>> echo "<!doctype html><html lang='en'><head><title>Test</title></
>> head><body><h1>Hello World</h1></body></html>"
>> ?>
> ER, it COULD if it was running on a secure server!!!
No, that script would not. Or maybe it will make more sense like this:
"ER, that script WOULD NOT!!!1111"
In your scenario, the server (eg, Apache) has an OpenSSL
vulnerability, not the PHP component. On some of my servers OpenSSL
is being used by PHP because I am using the curl module to interact
with an SSL server. I suspect PHP can use OpenSSL for
fopen("https://...") type constructs, too. I'm not sure I've ever
tried fopen() with https.
From "grep -i ssl configure", it looks like OpenSSL is the only SSL
library that PHP (4.4.x, 5.4.x) will attempt to use. Apparently is/can
be used by the Kerberos and imap functions, too.
From "grep -i ssl configure", Apache (2.2.x) can use OpenSSL or RSA SSL-C.
Elijah
------
or you could terminate ssl on the load balancer and not in the server at all
|
|
|
|
| Re: Heartbleed bug? [message #185558 is a reply to message #185556] |
Fri, 11 April 2014 01:58 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 4/10/2014 7:47 PM, The Natural Philosopher wrote:
> On 11/04/14 00:01, Denis McMahon wrote:
>> On Thu, 10 Apr 2014 14:03:25 +0200, Christoph Michael Becker wrote:
>>
>>> Jerry Stuckle wrote:
>>
>>>> You can ASS-U-ME all you want. I go by the facts. And if I were
>>>> concerned about PHP being involved, I would ask the OpenSSL people.
>>
>>> I would rather ask the PHP people, because they know best in which way
>>> PHP uses OpenSSL. Fortunately, that is not necessary anymore:
>>
>> As far as I can tell, PHP does not "use" OpenSSL directly itself, unless
>> a person writing php scripts calls functions that do use OpenSSL, and it
>> only seems to be when those functions are used that the vulnerability can
>> be exploited.
>>
>> For example, the following php script as a web page has no exposure to
>> the OpenSSL vulnerability:
>>
>> <?php
>> echo "<!doctype html><html lang='en'><head><title>Test</title></
>> head><body><h1>Hello World</h1></body></html>"
>> ?>
> ER, it COULD if it was running on a secure server!!!
>
>>
But that wouldn't be a PHP problem. It would be an Apache problem.
--
Ineptocracy
(in-ep-toc’-ra-cy). 1. Anything involving TNP. 2. See 1.
==================
Remove the "x" from my email address
Jerry Stuckle
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: Heartbleed bug? [message #185559 is a reply to message #185558] |
Fri, 11 April 2014 02:59 |
Denis McMahon
Messages: 634
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On Thu, 10 Apr 2014 21:58:01 -0400, Jerry Stuckle wrote:
> On 4/10/2014 7:47 PM, The Natural Philosopher wrote:
>> On 11/04/14 00:01, Denis McMahon wrote:
>>> For example, the following php script as a web page has no exposure to
>>> the OpenSSL vulnerability:
>>> <?php echo "<!doctype html><html lang='en'><head><title>Test</title></
>>> head><body><h1>Hello World</h1></body></html>"
>>> ?>
>> ER, it COULD if it was running on a secure server!!!
> But that wouldn't be a PHP problem. It would be an Apache problem.
You expect him to comprehend the distinction following years of evidence
to the contrary?
--
Denis McMahon, denismfmcmahon(at)gmail(dot)com
|
|
|
|
| Re: Heartbleed bug? [message #185560 is a reply to message #185559] |
Fri, 11 April 2014 03:36 |
The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 11/04/14 03:59, Denis McMahon wrote:
> On Thu, 10 Apr 2014 21:58:01 -0400, Jerry Stuckle wrote:
>
>> On 4/10/2014 7:47 PM, The Natural Philosopher wrote:
>>> On 11/04/14 00:01, Denis McMahon wrote:
>
>>>> For example, the following php script as a web page has no exposure to
>>>> the OpenSSL vulnerability:
>
>>>> <?php echo "<!doctype html><html lang='en'><head><title>Test</title></
>>>> head><body><h1>Hello World</h1></body></html>"
>>>> ?>
>
>>> ER, it COULD if it was running on a secure server!!!
>
>> But that wouldn't be a PHP problem. It would be an Apache problem.
>
> You expect him to comprehend the distinction following years of evidence
> to the contrary?
>
Read what the poster said.
He said 'the following php script as a web page has no exposure to
the OpenSSL vulnerability'
He didn't say a PHP vulnerabilty.
Or specify a PHP problem.
If you interpret that the way its written it means 'you wont have a
problem with this PHP script'
I pointed out that in fact you could.
The fact that is not something you can address from within PHP does NOT
invalidate the fact that running that script on a secure server using
OPEN SSL could be a problem
Lets put it another way. If you DONT run that script on an (insecure)
ssl server, there is no issue. If you do there is. SO 'that script could
be a problem'
You should get out more and stop being so stuck up your own smart ass.
Or are you a nymshifted stucklehead?
--
Ineptocracy
(in-ep-toc’-ra-cy) – a system of government where the least capable to
lead are elected by the least capable of producing, and where the
members of society least likely to sustain themselves or succeed, are
rewarded with goods and services paid for by the confiscated wealth of a
diminishing number of producers.
|
|
|
|
| Re: Heartbleed bug? [message #185561 is a reply to message #185555] |
Fri, 11 April 2014 06:23 |
Arno Welzel
Messages: 317
Registered: October 2011
Karma: 0
|
Senior Member |
|
|
Denis McMahon, 2014-04-11 01:14:
> On Thu, 10 Apr 2014 22:56:34 +0200, Arno Welzel wrote:
>
>> Denis McMahon, 2014-04-10 17:50:
>>
>>> On Thu, 10 Apr 2014 08:57:54 +0200, Arno Welzel wrote:
>>>
>>>> To be precise: If the installed PHP version is linked against OpenSSL
>>>> then it should be replaced with a patched version of course.
>>>
>>> Is simply being linked against the buggy openssl enough to be
>>> exploitable? As I understand it the openssl code needs to be invoked
>>> (eg
>>
>> No. The bug is only exploitable if you run a SSL/TLS server - which is
>> possible using PHP.
>>
>>> https) for the bug to actually expose data.
>
> Sorry, but you seem to be saying "No" and then agreeing with me. Perhaps
> it's the way you have quote-replied, and I'm reading your "No" as
> applying to a different part of the quoted text to that which you
> intended it to refer?
Sorry for the confusion :-(
> Are you saying "No" to the question:
>
>>> Is simply being linked against the buggy openssl enough to be
>>> exploitable?
Yes - this I am referring to. Just the fact that you use a PHP version
which is linket to a buggy OpenSSL lib is of course not enough to
exploit the bug. One has to actually *use* the buggy functions in a way
that an attacker can send crafted heartbeat packets to your server.
--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
http://fahrradzukunft.de
|
|
|
|
| Re: Heartbleed bug? [message #185562 is a reply to message #185553] |
Fri, 11 April 2014 06:33 |
Arno Welzel
Messages: 317
Registered: October 2011
Karma: 0
|
Senior Member |
|
|
Denis McMahon, 2014-04-11 00:45:
> On Thu, 10 Apr 2014 22:54:01 +0200, Arno Welzel wrote:
>
>> The fact is, that stream_socket_enable_crypto() allows to build a server
>> which listens on a socket to accept incoming SSL/TLS connections and
>> uses OpenSSL for this.
>>
>> OpenSSL up to 1.0.1f has a now well known vulnerability for that use
>> case.
>>
>> Ask who ever you want. If you got the answers that prove all this wrong,
>> do the rest of us a favour and tell us.
>
> Yes, but for that issue to affect your (or my, or Jerry's) code, we'd
> have had to write our own SSL/TLS enabled server in PHP.
>
> And for that issue to affect anyone elses code, they'd have had to write
> their own SSL/TLS enabled server in PHP.
>
> So this comes back to: The "heartbleed" exploit will only affect your php
> code if your php code is linked against the exploitable OpenSSL libraries
> *AND* your code calls functions in those libraries that expose the
> exploits.
That's correct.
> And to know that you need to know which functions of the libraries are
> exploitable, and whether your code calls those functions. It's impossible
> for anyone, without reviewing another persons code, to tell whether that
> other person's code is exposed to this exploit or not, and that is the
> point that I believe Jerry is trying to make, and that you are so
> abstrusely refusing to recognise.
Of course not *every* PHP based application is affected by the OpenSSL bug.
But I refuse to assume the opposite that everything is OK as long as no
one exactly can describe, how the OpenSSL bug may affect PHP
applications. Because concerning PHP in general there *is* a problem
which *can* affect PHP based applications as long as you use a PHP
version without updated OpenSSL libraries.
--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
http://fahrradzukunft.de
|
|
|
|
|
|
| Re: Heartbleed bug? [message #185566 is a reply to message #185559] |
Fri, 11 April 2014 16:08 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 4/10/2014 10:59 PM, Denis McMahon wrote:
> On Thu, 10 Apr 2014 21:58:01 -0400, Jerry Stuckle wrote:
>
>> On 4/10/2014 7:47 PM, The Natural Philosopher wrote:
>>> On 11/04/14 00:01, Denis McMahon wrote:
>
>>>> For example, the following php script as a web page has no exposure to
>>>> the OpenSSL vulnerability:
>
>>>> <?php echo "<!doctype html><html lang='en'><head><title>Test</title></
>>>> head><body><h1>Hello World</h1></body></html>"
>>>> ?>
>
>>> ER, it COULD if it was running on a secure server!!!
>
>> But that wouldn't be a PHP problem. It would be an Apache problem.
>
> You expect him to comprehend the distinction following years of evidence
> to the contrary?
>
Good point, Denis.
--
==================
Remove the "x" from my email address
Jerry Stuckle
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]