FUDforum: comp.lang.php » Heartbleed bug?

Home » Imported messages » comp.lang.php » Heartbleed bug?

Show: Today's Messages :: Polls :: Message Navigator

Re: Heartbleed bug? [message #185536 is a reply to message #185525]

Wed, 09 April 2014 23:43

Adam Harvey
Messages: 25
Registered: September 2010

Karma:

Junior Member

On Wed, 09 Apr 2014 05:24:02 -0700, Kevin Burton wrote:
> Anyone know how this bug http://heartbleed.com/ affects PHP when the
> extension is enabled? Is there a patch for the extension?

OpenSSL has released version 1.0.1g to fix the Heartbleed bug. Non-
Windows users generally don't need to update their PHP installation;
upgrading OpenSSL to a fixed version is sufficient. (All major Linux
distributions have now shipped OpenSSL updates.) The Windows PHP packages
distributed from windows.php.net _do_ include a local copy of OpenSSL,
and have been rebuilt today to include 1.0.1g: if you're using a package
from windows.php.net, you should upgrade immediately.

Once you've upgraded OpenSSL, restart your Web server, PHP-FPM if you're
using it, and any other PHP processes you have running.

Note that you may need to take additional action, depending on whether
you fit into one (or more) of the following categories:

1. You're running a HTTPS server.

If you're running a Web server that uses OpenSSL to provide SSL/TLS (eg
Apache, nginx, lighttpd), you'll need to upgrade OpenSSL, restart your
Web server, _and_ revoke your SSL certificates and have them reissued
with new private keys. (This last step is due to the nature of the bug:
it's possible for an attacker to have already captured your private key,
and even if you upgrade OpenSSL, they could then use that to decrypt your
secure traffic.)

You should probably suggest to your users that they change their
passwords as well, since it may have been possible for attackers to
extract those opportunistically from your PHP process's memory,
particularly if you're using something like mod_php where the SSL/TLS
negotiation happens in the same process as PHP is executed in.

2. You're connecting to secure servers from within PHP _and_ using client
certificates.

This is extremely rare (if you don't know whether you're using client
certificates, you're not), but if you have code that sets the
CURLOPT_SSLCERT option or the SSL local_cert context option, you'll want
to revoke and reissue your client certificate(s) with new private keys
once you've upgraded OpenSSL.

3. You wrote a secure socket server _in_ PHP. (My God, why?)

It's possible to write a secure socket server in PHP by using
stream_socket_server() with the ssl:// or tls:// protocol. If so, the fix
is similar to the first case: upgrade OpenSSL, restart all PHP processes,
and create new server certificates using new private keys.

Adam

Report message to a moderator

[Message index]

		Heartbleed bug? By: Kevin Burton on Wed, 09 April 2014 12:24
		Re: Heartbleed bug? By: Jerry Stuckle on Wed, 09 April 2014 13:17
		Re: Heartbleed bug? By: Robert Heller on Wed, 09 April 2014 13:56
		Re: Heartbleed bug? By: Jerry Stuckle on Wed, 09 April 2014 15:21
		Re: Heartbleed bug? By: Christoph Michael Bec on Wed, 09 April 2014 15:43
		Re: Heartbleed bug? By: Jerry Stuckle on Wed, 09 April 2014 17:37
		Re: Heartbleed bug? By: Arno Welzel on Thu, 10 April 2014 06:51
		Re: Heartbleed bug? By: Jerry Stuckle on Thu, 10 April 2014 11:52
		Re: Heartbleed bug? By: Christoph Michael Bec on Thu, 10 April 2014 12:03
		Re: Heartbleed bug? By: Jerry Stuckle on Thu, 10 April 2014 16:36
		Re: Heartbleed bug? By: Denis McMahon on Thu, 10 April 2014 23:01
		Re: Heartbleed bug? By: The Natural Philosoph on Thu, 10 April 2014 23:47
		Re: Heartbleed bug? By: Eli the Bearded on Fri, 11 April 2014 00:38
		Re: Heartbleed bug? By: Jerry Stuckle on Fri, 11 April 2014 01:58
		Re: Heartbleed bug? By: Denis McMahon on Fri, 11 April 2014 02:59
		Re: Heartbleed bug? By: The Natural Philosoph on Fri, 11 April 2014 03:36
		Re: Heartbleed bug? By: Jerry Stuckle on Fri, 11 April 2014 16:08
		Re: Heartbleed bug? By: Arno Welzel on Thu, 10 April 2014 20:54
		Re: Heartbleed bug? By: Denis McMahon on Thu, 10 April 2014 22:45
		Re: Heartbleed bug? By: Arno Welzel on Fri, 11 April 2014 06:33
		Re: Heartbleed bug? By: Denis McMahon on Thu, 10 April 2014 15:47
		Re: Heartbleed bug? By: Robert Heller on Wed, 09 April 2014 15:56
		Re: Heartbleed bug? By: Jerry Stuckle on Wed, 09 April 2014 17:38
		Re: Heartbleed bug? By: M. Strobel on Wed, 09 April 2014 22:11
		Re: Heartbleed bug? By: Jerry Stuckle on Thu, 10 April 2014 11:53
		Re: Heartbleed bug? By: The Natural Philosoph on Wed, 09 April 2014 20:02
		Re: Heartbleed bug? By: Adam Harvey on Wed, 09 April 2014 23:43
		Re: Heartbleed bug? By: Eli the Bearded on Thu, 10 April 2014 00:01
		Re: Heartbleed bug? By: Arno Welzel on Thu, 10 April 2014 06:43
		Re: Heartbleed bug? By: Arno Welzel on Thu, 10 April 2014 06:57
		Re: Heartbleed bug? By: Denis McMahon on Thu, 10 April 2014 15:50
		Re: Heartbleed bug? By: The Natural Philosoph on Thu, 10 April 2014 18:37
		Re: Heartbleed bug? By: Arno Welzel on Thu, 10 April 2014 20:56
		Re: Heartbleed bug? By: M. Strobel on Thu, 10 April 2014 21:32
		Re: Heartbleed bug? By: Denis McMahon on Thu, 10 April 2014 23:14
		Re: Heartbleed bug? By: Arno Welzel on Fri, 11 April 2014 06:23
		Re: Heartbleed bug? By: Denis McMahon on Thu, 10 April 2014 15:42
		Re: Heartbleed bug? By: Arno Welzel on Fri, 11 April 2014 11:00

Previous Topic:	cURL and response code 302
Next Topic:	PHP Parse error: syntax error, unexpected '$sql' (T_VARIABLE) in

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Sat Nov 23 17:35:34 GMT 2024

Total time taken to generate the page: 0.05492 seconds