Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] [INVALID] CVE-2014-0224 + nginx
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
manwe_
l33t
l33t


Joined: 01 Feb 2006
Posts: 621
Location: Kraków/Cracow, Poland

PostPosted: Sat Jul 05, 2014 12:29 pm    Post subject: [SOLVED] [INVALID] CVE-2014-0224 + nginx Reply with quote

Hi *.

I've upgraded openssl to 1.0.1h-r1 [amd64] and restarted nginx. But according to https://www.ssllabs.com/ssltest/analyze.html I was still vurnelable. So I've re-emerged nginx [1.0.1h-r1] and did full init.d/nginx stop & start, but still this test site shows I'm vulnerable to CVE-2014-0224.

Code:
# eix -cIe openssl
[I] dev-libs/openssl (1.0.1h-r1@05.07.2014): full-strength general purpose cryptography library (including SSL and TLS)

# eix -cIe nginx
[I] www-servers/nginx (1.4.7@05.07.2014): Robust, small and high performance http and reverse proxy server

# ldd /usr/sbin/nginx | grep libssl
        libssl.so.1.0.0 => /usr/lib64/libssl.so.1.0.0 (0x00007f3ec5c66000)

# strings /usr/lib64/libssl.so.1.0.0 | grep "^OpenSSL "
OpenSSL 1.0.1h 5 Jun 2014


Any ideas?


Last edited by manwe_ on Sat Jul 05, 2014 1:05 pm; edited 1 time in total
Back to top
View user's profile Send private message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3647
Location: Hamburg

PostPosted: Sat Jul 05, 2014 12:47 pm    Post subject: Reply with quote

Well, revdep-rebuild is nowadays often no longer needed but what's about re-emerging nginx via "emerge -1 nginx" ?

BTW I do assume, that you have this
Code:
PORTAGE_ELOG_CLASSES="log warn error"
PORTAGE_ELOG_SYSTEM="save mail"
at least set in /etc/portage/make.conf to not lose emerge messages, right ?
Back to top
View user's profile Send private message
manwe_
l33t
l33t


Joined: 01 Feb 2006
Posts: 621
Location: Kraków/Cracow, Poland

PostPosted: Sat Jul 05, 2014 12:51 pm    Post subject: Re: CVE-2014-0224 + nginx Reply with quote

manwe_ wrote:
So I've re-emerged nginx [1.0.1h-r1] and did full init.d/nginx stop & start, but still this test site shows I'm vulnerable to CVE-2014-0224.


toralf wrote:
but what's about re-emerging nginx via "emerge -1 nginx" ?


;)


toralf wrote:
BTW I do assume, that you have this … at least set in /etc/portage/make.conf to not lose emerge messages, right ?

I don't need to have _SYSTEM="mail", just "save". I launch every emerge manually.
Back to top
View user's profile Send private message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3647
Location: Hamburg

PostPosted: Sat Jul 05, 2014 12:59 pm    Post subject: Reply with quote

Ick, didn't read your origin carefully enough ;-) - well , what's about the idea that the web service of ssllabs is buggy ? :-D
Back to top
View user's profile Send private message
manwe_
l33t
l33t


Joined: 01 Feb 2006
Posts: 621
Location: Kraków/Cracow, Poland

PostPosted: Sat Jul 05, 2014 1:05 pm    Post subject: Reply with quote

Looks like they are :) I've launched one more test (via "clear cache") and this time (fourth time) it worked. Sorry to bother.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum