New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
DirectAdmin and CVE-2014-0224
PrincessOfCats
Member
in Help
I currently have a new directadmin installation on debian 7.
I recently did some tuning including adding a GRE tunnel, and enabling HTTPS for the panel. Upon completion of HTTPS and GRE setup, I used the ssllabs test to check my SSL.
SSL Labs reports that I am vulnerable to CVE-2014-0224.
According to the debian security tracker and my installation, this is impossible.
Debian Security Tracker indicates that it was fixed in 1.0.1e-2+deb7u13/1.0.1e-2+deb7u14.
Dpkg reports 1.0.1e-2+deb7u14 is installed.
I don't get it.
Comments
Hi,
SSL Labs don't lie or they maybe have some false/positive issue, but ...
To test:
apt-get changelog openssl | grep CVE-2014-0224
If a result is not returned, then, yep, you need to update/patch your system.
From debian source, your package version don't have that patch. If that is 100% case, you will need to rebuild your version with patch or you will install new version: from openssl (1.0.1h-1) or +. As you wish.
@StartledPhoenix
A bit of testing...
Apt-get doesn't seem to want to get the changelog for me, indicating that the changelog download failed..... however aptitude luckily does.
>
>
Seeing that it was patched, I took another look around and found http://forum.directadmin.com/showthread.php?t=32045
Since they have decided to make it impossible for people to test if the panel is vulnerable, is there any way I can check to see if it is actually vulnerable to such an attack?
Trying the attack on your own system.
Have you restarted your service/machine yet?