OpenSSL security vulnerability

Read 14092 times
I think everyone should update ASAP, not sure why they didn't post a notification of this here

http://centova.com/en/news/@article/53439e70/openssl_security_vulnerability
My Auto DJ
Orlando, FL USA
Quality SHOUTcast Hosting http://myautodj.com
SHOUTcast Widgets http://shoutcastwidgets.com
If you have cPanel you should run
yum update
restart Apache

http://filippo.io/Heartbleed/
My Auto DJ
Orlando, FL USA
Quality SHOUTcast Hosting http://myautodj.com
SHOUTcast Widgets http://shoutcastwidgets.com
Do we know whether Centova have issued new keys along with the fix?
Hello,

We didn't release any new private key/certificate because this depends on each customer configuration.

If you have a self signed certificate, then you can generate a new by following those instructions:

mkdir /usr/local/centovacast/etc/ssl/old
mv /usr/local/centovacast/etc/ssl/* /usr/local/centovacast/etc/ssl/old
/usr/local/centovacast/sbin/update web --force

You'll see this message in the update system:

Creating self-signed SSL certificate for 127.0.0.1 ...
Generating private key ...
Generating certificate ...
I think everyone should update ASAP
Agreed. Centova Cast was using the most up-to-date version of OpenSSL prior to this disclosure so it was vulnerable along with everyone else. Everyone should update immediately.

not sure why they didn't post a notification of this here
I thought the front page of our web site was about as prominent as we could make it but... I suppose you can't please everyone. :)

Do we know whether Centova have issued new keys along with the fix?
That's not how public key cryptography works. If we shipped a preconfigured private key with Centova Cast, everyone would have it so it would be equivalent to no encryption at all. Every deployment of Centova Cast (just like every web site) uses its own unique key.

If you're worried about your own key you would need to either regenerate it per Rodrigo's instructions if it's self signed, or contact your SSL certificate issuer if it's a commercial cert.
I thought the front page of our web site was about as prominent as we could make it but... I suppose you can't please everyone. :)


Because we get email notifications when you post updates here in the forum, we do not get notified of updates to your home page
Last Edit: April 11, 2014, 04:17:03 am by My Auto DJ
My Auto DJ
Orlando, FL USA
Quality SHOUTcast Hosting http://myautodj.com
SHOUTcast Widgets http://shoutcastwidgets.com
Small ooop...

Correction...
mkdir /usr/local/centovacast/etc/sslold
mv /usr/local/centovacast/etc/ssl/* /usr/local/centovacast/etc/sslold
/usr/local/centovacast/sbin/update web --force

This would avoid the old directory trying to move itsself into itself..  8)