OpenSSL CVE-2014-0160

#4
/lsws-4.2.9-std-x86_64-linux.tar.gz: unexpected end of file
tar: This does not look like a tar archive
tar: Error exit delayed from previous errors
/update.sh: line 70: cd: /lsws-4.2.9: No such file or directory
 

mistwang

LiteSpeed Staff
#6
there is no x86_64 package for standard release. maybe something is wrong with your installation if you do use LSWS enterprise.
remove /usr/local/lsws/autoupdate/release then try again.
 
#9
Thanks for providing the patched update, however the Heartbleed test is failing with a timeout. This is probably a Heartbleed issue, but I wanted to post here and check if it's a problem with the Litespeed release?

EDIT: Just to confirm, it's definitely NOT timing out. Telnets to port 443 go through fine, I believe the "timeout" error just means the script can't interpret the response Litespeed is providing.
 

Michael

Well-Known Member
Staff member
#10
Howdy,

In the Heartbleed FAQ it says, "if the error below is a timeout then my servers are under too heavy load, probably".

Thus, I think the issue is that too many people are using this test.

Michael
 
#11
Michael,

Thanks for your response, but that's not the case. I'm running the Heartbleed tool from a local machine that is used for testing like this, not from the Heartbleed website.
 

Michael

Well-Known Member
Staff member
#12
Hmmm... Alright, then we'll have to go with your hypothesis that the tool doesn't understand the response LSWS is giving. What tool are you using?

We'll definitely keep our eyes out for more reports like this.

Michael
 

cornish

Well-Known Member
#13
We did yum update installed updates but still said VULNERABLE

Then we clicked we had litespeed installed so did the update to 4.2.9 now all we get on heartbleed test is timeout.

And one of our servers says this below on heartbleed test

Uh-oh, something went wrong:tls: oversized record received with length 20527
 

joe

Well-Known Member
#15
Please check the lsws-4.2.9-std-i386-freebsd6.tar.gz download.The lshttpd.4.2.9 binary appears to be missing.

kinda need it ;)
 

cornish

Well-Known Member
#16
The site you're using to check this may be producing a false positive, but I've checked and the OpenSSL version we are using is patched.

You can check with this command below.

rpm -q --changelog openssl-1.0.1e | grep -B 1 CVE-2014-0160
 

gboudreau

Well-Known Member
#17
That command will not indicate that the litespeed server installed on the server is OK.
I'm running openssl-0.9.8e, which is not vulnerable, but my litespeed server was still vulnerable, thus the release of 4.2.9 required to fix this.
 
#19
I agree that it's likely the timeout response means we are not vulnerable, however it would be great if we could determine why the tool is incompatible with Litespeed (why is it providing a different response than expected) and get to a stage where the tool can be used to confirm this. For people with many servers who may wish to bulk check, this will provide a lot of peace of mind.
 
#20
12.04 lts, openssl updated, lsup also to 4.2.9, also confirm the timeout heartbleed response. Almost zero traffic on https at the testing time.
 
Top