[mythtv-users] the heartbleed openssl bug and mythtv

Stephen Worthington stephen_agent at jsw.gen.nz
Thu Apr 10 13:40:46 UTC 2014 

On Thu, 10 Apr 2014 13:00:48 +0200, you wrote:

>2014-04-10 11:34 GMT+02:00 Mike Perkins <mikep at randomtraveller.org.uk>:
>
>> On 10/04/14 03:39, Gary Buhrmaster wrote:
>>
>>>
>>> As far as impact, if one is using a throw-away password
>>> like "password", and is using it only on their mythweb server,
>>> the impact is low (the worst someone could do is probably
>>> delete your recordings, and it is only just TV :-).  On the
>>> other hand, if it is using the same password as you use
>>> at your bank, or your secret password to access your
>>> evil lair, the impact could be higher.  You can mitigate
>>> against that impact by changing your bank password
>>> (note: Unless your bank says they have fixed it already,
>>> you get to do it now, and then again after they have
>>> applied the patch), and change your password to access
>>> your secret lair from which you plan to launch the plan of
>>> world domination.
>>>
>>>  Er, no. If they can gain access to your /server/ it makes it at least
>> possible for them to upload more malware, turning your server into a relay
>> bot, etc.
>>
>> Fortunately I don't permit any internet-facing access to my machines,
>> which is probably just as well. The number of devices I will have to update
>> in the near future is mind-boggling.
>>
>> Apart from the usual servers, clients and workstations, one mustn't forget
>> wireless access points, smart phones (when Apple/Samsung gets around to
>> providing a fix), tablets, ereaders and set-top boxes, all of which likely
>> run some OS which uses SSL!
>>
>> --
>>
>> Mike Perkins
>>
>>
>> _______________________________________________
>> mythtv-users mailing list
>> mythtv-users at mythtv.org
>> http://www.mythtv.org/mailman/listinfo/mythtv-users
>> http://wiki.mythtv.org/Mailing_List_etiquette
>> MythTV Forums: https://forum.mythtv.org
>>
>
>This is not a security discussion group, and I find that this discussion
>really has gone overboard. You have to upgrade openssl on your server IF
>you use apache and openssl to deliver any content on your mythtv server
>(for example mythweb). Changing passwords on the server is also recommended
>(if you are really paranoid, the chance that someone has targeted your
>mythtv server is slim to none, there are larger fish in the sea).
>
>Clients using openssl are not affected by this bugg, so smartphones,
>tablets, set-top boxes and the like (as long as they are not serving
>content with openssl, which few are doing), do not need to be upgraded.
>Openssh is not affected either. Your password and possibly your public key
>can be compromised, if you are  worried about your password, change it. If
>you worry about someone getting your public key, then you don't understand
>how key generation and login work.
>
>The main thing is however that your server won't be compromised just
>because it is internet-facing and used an old version of openssl. Check
>your server logs to see if there are strange logins, change the password
>and you are fine!
>
>The problem is worse on all of our Internet services. You should really
>think about changing passwords there. And I can't imagine that there are
>any sysops that haven't upgraded openssl already....
>
>Regards
>
>Andréas

Have you ever got it wrong!  The PRIVATE keys can be compromised by
this bug, not the public keys.  It is impossible to "compromise" a
public key as they are supposed to be publicly available.  The bug
allows an attacker access to up to 64 kbytes of memory on each request
and to keep on requesting 64 kbyte chunks of data.  So they can get
access to just about anything that is in RAM on the PC.  I am unsure
if that is limited to just the memory of the program running the SSL
code, or if more general access is gained.  But anything running SSL
will have the private keys in RAM so it can do encoding and decoding,
and they will be accessible via the bug.

And also, the client side data is apparently vulnerable too, not just
the server side.  That may depend on just what software we are talking
about, but I am not sure.  So at this point, it is better to be safe
than sorry.  It may just be that if you use a browser to connect to an
https site, you are opening up your PC to attack.

Please have a good read of this authoritative site:

  http://heartbleed.com

More information about the mythtv-users mailing list