OpenSSL security vulnerability

OpenSSL security vulnerability

Read 7004 times

My Auto DJ

  • Sr. Member
  • ****
  • Posts: 488
    • My Auto DJ
Logged

April 10, 2014, 04:51:17 am

OpenSSL security vulnerability
I think everyone should update ASAP, not sure why they didn't post a notification of this here

http://centova.com/en/news/@article/53439e70/openssl_security_vulnerability
My Auto DJ
Orlando, FL USA
Quality SHOUTcast Hosting http://myautodj.com
SHOUTcast Widgets http://shoutcastwidgets.com

My Auto DJ

  • Sr. Member
  • ****
  • Posts: 488
    • My Auto DJ
Logged

April 10, 2014, 05:30:04 am, #1

If you have cPanel you should run
yum update
restart Apache

http://filippo.io/Heartbleed/
My Auto DJ
Orlando, FL USA
Quality SHOUTcast Hosting http://myautodj.com
SHOUTcast Widgets http://shoutcastwidgets.com

Dr Bunsen

  • Full Member
  • ***
  • Posts: 162
    • Party Vibe Radio
Logged

April 10, 2014, 05:16:15 pm, #2

Do we know whether Centova have issued new keys along with the fix?

Rodrigo

Guest
Logged

April 10, 2014, 07:28:30 pm, #3

Hello,

We didn't release any new private key/certificate because this depends on each customer configuration.

If you have a self signed certificate, then you can generate a new by following those instructions:

mkdir /usr/local/centovacast/etc/ssl/old
mv /usr/local/centovacast/etc/ssl/* /usr/local/centovacast/etc/ssl/old
/usr/local/centovacast/sbin/update web --force

You'll see this message in the update system:

Creating self-signed SSL certificate for 127.0.0.1 ...
Generating private key ...
Generating certificate ...

Centova Technologies

Administrator
  • *
  • Posts: 55
Logged

April 10, 2014, 08:35:06 pm, #4

Quote from: My Auto DJ on April 10, 2014, 04:51:17 am
I think everyone should update ASAP
Agreed. Centova Cast was using the most up-to-date version of OpenSSL prior to this disclosure so it was vulnerable along with everyone else. Everyone should update immediately.

Quote from: My Auto DJ on April 10, 2014, 04:51:17 am
not sure why they didn't post a notification of this here
I thought the front page of our web site was about as prominent as we could make it but... I suppose you can't please everyone. :)

Quote from: Dr Bunsen on April 10, 2014, 05:16:15 pm
Do we know whether Centova have issued new keys along with the fix?
That's not how public key cryptography works. If we shipped a preconfigured private key with Centova Cast, everyone would have it so it would be equivalent to no encryption at all. Every deployment of Centova Cast (just like every web site) uses its own unique key.

If you're worried about your own key you would need to either regenerate it per Rodrigo's instructions if it's self signed, or contact your SSL certificate issuer if it's a commercial cert.

My Auto DJ

  • Sr. Member
  • ****
  • Posts: 488
    • My Auto DJ
Logged

April 11, 2014, 04:15:23 am, #5

Quote from: My Auto DJ on April 10, 2014, 04:51:17 am
I thought the front page of our web site was about as prominent as we could make it but... I suppose you can't please everyone. :)


Because we get email notifications when you post updates here in the forum, we do not get notified of updates to your home page
Last Edit: April 11, 2014, 04:17:03 am by My Auto DJ
My Auto DJ
Orlando, FL USA
Quality SHOUTcast Hosting http://myautodj.com
SHOUTcast Widgets http://shoutcastwidgets.com

sam604

  • Jr. Member
  • **
  • Posts: 66
Logged

April 11, 2014, 11:00:08 am, #6

Small ooop...

Correction...
mkdir /usr/local/centovacast/etc/sslold
mv /usr/local/centovacast/etc/ssl/* /usr/local/centovacast/etc/sslold
/usr/local/centovacast/sbin/update web --force

This would avoid the old directory trying to move itsself into itself..  8)