Changes between Initial version and Version 1 of Press Release 49


Ignore:
Timestamp:
26 Nov 2017, 10:37:44 (6 years ago)
Author:
cvvergara
Comment:

Copy from osgeo wiki

Legend:

Unmodified
Added
Removed
Modified

  • Press Release 49

    v1 v1  
     1= OSGeo-Live and HeartBleed vulnerability=
     2
     314 April 2014
     4
     5The [http://heartbleed.com/ Heartbleed Bug] - described in [http://www.ubuntu.com/usn/usn-2165-1/ this Ubuntu Security Note] - is a serious security exposure, and the relevant software components shipped on the OSGeo-Live versions 6.0 to the present 7.9.
     6
     7As described in many widely available posts on the Internet, the HeartBleed vulnerability is exposed when network software  uses the Transport Layer Security (TLS) feature built on top of a current version of the encryption library openssl. The fix to the vulnerability is to upgrade the openssl package via the Ubuntu/Debian apt mechanism.
     8
     9No software on the OSGeo-Live is configured to serve network connections using TLS "out of the box." However, some software (such as QGis) which provide WMS connectivity to other network services, may create a reverse-vulnerability when a secure connection is established. By patching your OSGeo-Live openssl library, you can close that reverse-exposure.
     10
     11Please note that the OSGeo-Live project does not recommend using OSGeo-Live "as-is" for production deployment on the Internet.
     12
     13All users of OSGeo Live from versions 6.0 to the present 7.9 release are strongly encouraged to apply software updates to any installed system.
     14
     15
     16== OSGeo-Live releases affected==
     17OSGeo-Live releases based on Ubuntu 12.04 are affected. This includes versions:
     18* 6.0
     19* 6.5
     20* 7.0
     21* 7.9
     22
     23== How to Fix ==
     24The OSGeo-Live project recommends that all installed versions of an affected OSGeo-Live release follow at a minimum, these steps:
     25{{{
     26sudo apt-get update
     27sudo apt-get install libssl1.0.0
     28}}}
     29
     30The default password is "user" (four characters).
     31
     32Using the graphical update manager will also work, click the 8 pointed star in the top toolbar. Make sure to check for updates and apply any updates to libssl available.
     33
     34A '''restart''' of all services is required after the update is applied, otherwise old libs are used for RAM. You can either restart by hand or reboot the whole system.