dolibarr-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Dolibarr-dev] Heartbleed bug on Dolibarr.fr

From: Doursenaud , Raphaël
Subject: Re: [Dolibarr-dev] Heartbleed bug on Dolibarr.fr
Date: Thu, 10 Apr 2014 14:14:04 +0200
Get your facts straight : heartbleed.com
SSH accesses are unaffected.
You're right thou that affected HTTPS service, even if no website is configured can reveal in server memory informations.
The question is, what confidential/critical information can leak from dolibarr.fr/dolibarr.org ?
The only thing that comes to mind is forum passwords.

Anyway, an update has to be deployed, but with this being so widespread, we are a tiny, tiny target with not so interresting infos. No need to call the dogs ;)


2014-04-10 12:39 GMT+02:00 [Kreiz IT]Cédric GROSS <address@hidden>:

Hello,

 

Use or not use https is not enough to worry about this security hole. It’s all communication based on SSL which is implicated (certificate, SSH access, Github access, TLS etc…). If you use certificate issued from this server, there ‘re basically all compromised.

 

Cedric

 

De : dolibarr-dev-bounces+c.gross=address@hidden [mailto:dolibarr-dev-bounces+c.gross=address@hidden] De la part de Doursenaud, Raphaël
Envoyé : jeudi 10 avril 2014 12:28
À : Posts about Dolibarr ERP & CRM development and coding
Objet : Re: [Dolibarr-dev] Heartbleed bug on Dolibarr.fr

 

Hey, thanks for the heads up but if you go to https://dolibarr.fr or https://dolibarr.org, you'll see that the HTTPS version of the site is not available. I think there's no need to worry…

 

2014-04-10 12:21 GMT+02:00 Lorenzo Novaro <address@hidden>:

Hello everyone,
While testing and fixing our own infrastructure I also tested the
websites we usually visit and the services we use on a regular basis.
During said round of tests I checked also dolibarr.fr and it appears
vulnerable to threats according to CVE-2014-0160.

Check http://filippo.io/Heartbleed/#dolibarr.fr

It seems to be an ubuntu server, and so it would just be a matter of
upgrading libopenssl and openssl packages to a recent fixed version.
If the vulnerability have already been fixed, it might be worth a
reboot (not all openssl-using services are included in the restart rules
of the updated packages on Debian and derived distros).

Bye,
Lorenzo.
--
Diciannove Soc. Coop.
http://19.coop
http://diciannove.tel

GENOVA  Via Luccoli, 14/8 - 16123
tel. +39 0109980020 - fax +39 0109980021

PARMA   Strada Buffolara 26/A - 43126
tel. +39 05211841134 - fax +39 0109980021

_______________________________________________
Dolibarr-dev mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/dolibarr-dev



 

--

 

Image supprimée par l'expéditeur.

http://gpcsolutions.fr

Technopole Hélioparc

2 avenue du Président Pierre Angot

64053 PAU CEDEX 9

SARL GPC.solutions au capital de 7 500 € - R.C.S. PAU 528 995 921

Image supprimée par l'expéditeur.Image supprimée par l'expéditeur.


_______________________________________________
Dolibarr-dev mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/dolibarr-dev




--
Raphaël Doursenaud
Directeur technique (CTO)
Expert certifié en déploiement Google Apps
+33 (0)5 35 53 97 13 - +33 (0)6 68 48 20 10

http://gpcsolutions.fr
Technopole Hélioparc
2 avenue du Président Pierre Angot
64053 PAU CEDEX 9
SARL GPC.solutions au capital de 7 500 € - R.C.S. PAU 528 995 921
reply via email to
[Prev in Thread] Current Thread [Next in Thread]