Heartbleed!?!?!?!?!?!

[thebardingreen]

First off, I'm a little unnerved I can't find anything about Heartbleed and it's impact on Amahi on the forums here when I know Amahi uses openVPN which uses openSSL. So I believe every single Amahi machine out there is vulnerable and some older ones (Like mine, which I've had running Amahi for a year and a half using 32bit Fedora) *may just be unpatchable and I'm SOL*. Because aparently, patched 32bit openSSL is available for Fedora 19, but the 32bit Amahi I installed back then was *not* 19.

Could we have any word on this from the Amahi folks?

[bigfoot65]

If you have Fedora 14 then you're out of luck. It reached end of life years ago.

This Open SSL bug is not a big deal unless you expose your Amahi machine to the Internet. Too many are freaking out over nothing. Financial systems are the main concern.

This is not an Amahi issue bit an OS issue. Sorry not much we can do about it. Amahi infrastructure has been patched.


[ Post made via Android ]

[thebardingreen]

Yeah, I'm sure I'm SOL with the ancient POS I'm using as my server. No biggie.

However, I'm surely not clear on this "It's not a big deal unless your Amahi machine is exposed to the internet" thing. My Amahi machine is doing it's job and being an OpenVPN server so that I can connect to my network while I'm traveling and my friends can hit my minecraft server and some other stuff. Which. . . would mean it's exposed to the internet yes? The mere fact I'm posting on these forums, means anyone in the Universe can tell there's an Amahi server running at thebardingreen.yourhda.com.

The openVPN folks consider this a serious issue. But Amahi does not? Should I assume this means you have no plans to patch Windows HDA Connect in the short term?

[bigfoot65]

My Amahi machine is doing it's job and being an OpenVPN server so that I can connect to my network while I'm traveling and my friends can hit my minecraft server and some other stuff. Which. . . would mean it's exposed to the internet yes?

I suppose that could be true that it's somewhat exposed. From what I have read, VPN should be harder to crack. I could be wrong.

The mere fact I'm posting on these forums, means anyone in the Universe can tell there's an Amahi server running at thebardingreen.yourhda.com.

That is not true as you can be posting here and not have an Amahi server running. Now that you have posted your server access name (if that is the actual name), it could be easier to hack into your machine.

The openVPN folks consider this a serious issue. But Amahi does not?

I never said we did not consider it serious, however there is nothing Amahi can do for your server to correct this issue. I would think if it was a concern for users, we would have notified the Amahi community of actions needed to mitigate the threat. Since it's OpenSSL which is an OS package, not Amahi there it nothing we can do. We cannot control whether the OS chooses to update OpenSSL or not and when.

Should I assume this means you have no plans to patch Windows HDA Connect in the short term?

I don't use the HDA Connect. Does it contain OpenSSL for Windows? If so, then we would need to update it.

Please don't misunderstand my previous post. What my main point was is to simply state this is not something to panic over in regards to an Amahi server. From all I have read, the big concerns were passwords being stolen for online accounts. In my opinion, this would be most worrisome for online banking but not home servers so much.

We did patch all the Amahi sites immediately, so no passwords or information could be compromised as a result of this threat.

I will have to ask about the HDA Connect app. I am unsure who supports it on the team.

EDIT: This might help answer some questions. http://p37.ny.sl.pt

[cpg]

We will release an update to the repos that will require an update of the latest openssl that contains a fix to the heartbleed bug.

The client does not need patching, only the server.

[bigfoot65]

Just to clarify. Will this apply to Fedora 14 and Ubuntu or just Amahi 7?

[cpg]

Amahi 7 only

[thebardingreen]

Thank you for the response! This information is greatly appreciated.

[bigfoot65]

Here's a little bit of info about the heartbleed bug that I obtained from work. This should put those who are concerned at ease a bit since it won't affect Amahi home servers on the level that some believed.

On 7 April 2014, a significant vulnerability was identified. This flaw, the Heartbleed Bug, is found in the widespread Web encryption program (OpenSSL) used by secure sites and allows access to the memory of servers where the data is stored. While websites and tech companies are working as quickly as possible to apply appropriate fixes, the implications of this vulnerability are serious and far reaching.

• The secure sites that could be affected are those that begin with “https:” This could include social media sites, banking sites, and any page that processes credit card information. That encompasses a large number of sites. In fact, an April survey from the research site Netcraft estimates that two-thirds of actives Internet sites run OpenSSL.

• Since the leak allows access to the memory of servers running OpenSSL, sensitive information such as usernames, passwords, and data are available for exploitation. Further, this vulnerability has gone undetected for about 2 years.

• Over the next several days, be prepared to change passwords on sites that store banking and personal information. Keep in mind websites and tech companies are still working to apply the patches, so keep up to date on current website status. Changing passwords before the patches are applied would be ineffective since data would still be vulnerable.

The best ways to protect yourself are through good personal security practices:

(1) Change your passwords on all accounts after validating the vulnerable website was patched

(2) Watch for phishing emails advising you to change your password (verify through websites first)

(3) Use different and unique passwords for each site

(4) Use dual-factor authentication if an option (text message to cell and password).

Sources:
http://news.netcraft.com/archives/2014/ ... urvey.html
http://www.reuters.com/article/2014/04/ ... 4U20140410

Rest assured that Amahi web sites have already been patched and are safe.