[mythtv-users] the heartbleed openssl bug and mythtv
Andréas Kühne
andreas at kuhne.se
Thu Apr 10 11:00:48 UTC 2014
2014-04-10 11:34 GMT+02:00 Mike Perkins <mikep at randomtraveller.org.uk>:
> On 10/04/14 03:39, Gary Buhrmaster wrote:
>
>>
>> As far as impact, if one is using a throw-away password
>> like "password", and is using it only on their mythweb server,
>> the impact is low (the worst someone could do is probably
>> delete your recordings, and it is only just TV :-). On the
>> other hand, if it is using the same password as you use
>> at your bank, or your secret password to access your
>> evil lair, the impact could be higher. You can mitigate
>> against that impact by changing your bank password
>> (note: Unless your bank says they have fixed it already,
>> you get to do it now, and then again after they have
>> applied the patch), and change your password to access
>> your secret lair from which you plan to launch the plan of
>> world domination.
>>
>> Er, no. If they can gain access to your /server/ it makes it at least
> possible for them to upload more malware, turning your server into a relay
> bot, etc.
>
> Fortunately I don't permit any internet-facing access to my machines,
> which is probably just as well. The number of devices I will have to update
> in the near future is mind-boggling.
>
> Apart from the usual servers, clients and workstations, one mustn't forget
> wireless access points, smart phones (when Apple/Samsung gets around to
> providing a fix), tablets, ereaders and set-top boxes, all of which likely
> run some OS which uses SSL!
>
> --
>
> Mike Perkins
>
>
> _______________________________________________
> mythtv-users mailing list
> mythtv-users at mythtv.org
> http://www.mythtv.org/mailman/listinfo/mythtv-users
> http://wiki.mythtv.org/Mailing_List_etiquette
> MythTV Forums: https://forum.mythtv.org
>
This is not a security discussion group, and I find that this discussion
really has gone overboard. You have to upgrade openssl on your server IF
you use apache and openssl to deliver any content on your mythtv server
(for example mythweb). Changing passwords on the server is also recommended
(if you are really paranoid, the chance that someone has targeted your
mythtv server is slim to none, there are larger fish in the sea).
Clients using openssl are not affected by this bugg, so smartphones,
tablets, set-top boxes and the like (as long as they are not serving
content with openssl, which few are doing), do not need to be upgraded.
Openssh is not affected either. Your password and possibly your public key
can be compromised, if you are worried about your password, change it. If
you worry about someone getting your public key, then you don't understand
how key generation and login work.
The main thing is however that your server won't be compromised just
because it is internet-facing and used an old version of openssl. Check
your server logs to see if there are strange logins, change the password
and you are fine!
The problem is worse on all of our Internet services. You should really
think about changing passwords there. And I can't imagine that there are
any sysops that haven't upgraded openssl already....
Regards
Andréas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.mythtv.org/pipermail/mythtv-users/attachments/20140410/a1ca09b4/attachment-0001.html>
More information about the mythtv-users
mailing list