Difference between revisions of "Live GIS Disc Press Release 49"

From OSGeo
Jump to navigation Jump to search
(Created page with "= OSGeo-Live and Heartbleed vulnerability= 14 April 2014 The [http://heartbleed.com/ Heartbleed Bug], which is a vulnerability in OpenSSL is also applicable for a number of the...")
 
(typo)
 
(9 intermediate revisions by 3 users not shown)
Line 1: Line 1:
= OSGeo-Live and Heartbleed vulnerability=
+
= OSGeo-Live and HeartBleed vulnerability=
  
 
14 April 2014
 
14 April 2014
  
The [http://heartbleed.com/ Heartbleed Bug], which is a vulnerability in OpenSSL is also applicable for a number of the OSGeo live releases.
+
The [http://heartbleed.com/ Heartbleed Bug] - described in [http://www.ubuntu.com/usn/usn-2165-1/ this Ubuntu Security Note] - is a serious security exposure, and the relevant software components shipped on the OSGeo-Live versions 6.0 to the present 7.9.
OSGeo-Live is designed for demonstrating OSGeo software rather than being used for setting up hardened production servers, and as such shouldn't be used as a base system for storing sensitive data.
 
  
Even so, we do recommend anyone who has installed OSGeo-Live should patch the system.
+
As described in many widely available posts on the Internet, the HeartBleed vulnerability is exposed when network software  uses the Transport Layer Security (TLS) feature built on top of a current version of the encryption library openssl. The fix to the vulnerability is to upgrade the openssl package via the Ubuntu/Debian apt mechanism.
  
==OSGeo-Live releases effected include==
+
No software on the OSGeo-Live is configured to serve network connections using TLS "out of the box." However, some software (such as QGis) which provide WMS connectivity to other network services, may create a reverse-vulnerability when a secure connection is established. By patching your OSGeo-Live openssl library, you can close that reverse-exposure.
OSGeo-Live releases based on Ubuntu 12.04 are effected. This includes versions:
+
 
 +
Please note that the OSGeo-Live project does not recommend using OSGeo-Live "as-is" for production deployment on the Internet.
 +
 
 +
All users of OSGeo Live from versions 6.0 to the present 7.9 release are strongly encouraged to apply software updates to any installed system.
 +
 
 +
 
 +
==OSGeo-Live releases affected==
 +
OSGeo-Live releases based on Ubuntu 12.04 are affected. This includes versions:
 
* 6.0
 
* 6.0
 
* 6.5
 
* 6.5
Line 16: Line 22:
  
 
== How to Fix ==
 
== How to Fix ==
The following commands run from the command line will address the patch:
+
The OSGeo-Live project recommends that all installed versions of an affected OSGeo-Live release follow at a minimum, these steps:
 +
<pre>
 +
sudo apt-get update
 +
sudo apt-get install libssl1.0.0
 +
</pre>
 +
 
 +
The default password is "user" (four characters).
 +
 
 +
Using the graphical update manager will also work, click the 8 pointed star in the top toolbar. Make sure to check for updates and apply any updates to libssl available.
  
  sudo apt-get install libssl1.0.0
+
A '''restart''' of all services is required after the update is applied, otherwise old libs are used for RAM. You can either restart by hand or reboot the whole system.

Latest revision as of 19:18, 17 April 2014

OSGeo-Live and HeartBleed vulnerability

14 April 2014

The Heartbleed Bug - described in this Ubuntu Security Note - is a serious security exposure, and the relevant software components shipped on the OSGeo-Live versions 6.0 to the present 7.9.

As described in many widely available posts on the Internet, the HeartBleed vulnerability is exposed when network software uses the Transport Layer Security (TLS) feature built on top of a current version of the encryption library openssl. The fix to the vulnerability is to upgrade the openssl package via the Ubuntu/Debian apt mechanism.

No software on the OSGeo-Live is configured to serve network connections using TLS "out of the box." However, some software (such as QGis) which provide WMS connectivity to other network services, may create a reverse-vulnerability when a secure connection is established. By patching your OSGeo-Live openssl library, you can close that reverse-exposure.

Please note that the OSGeo-Live project does not recommend using OSGeo-Live "as-is" for production deployment on the Internet.

All users of OSGeo Live from versions 6.0 to the present 7.9 release are strongly encouraged to apply software updates to any installed system.


OSGeo-Live releases affected

OSGeo-Live releases based on Ubuntu 12.04 are affected. This includes versions:

  • 6.0
  • 6.5
  • 7.0
  • 7.9

How to Fix

The OSGeo-Live project recommends that all installed versions of an affected OSGeo-Live release follow at a minimum, these steps:

sudo apt-get update
sudo apt-get install libssl1.0.0

The default password is "user" (four characters).

Using the graphical update manager will also work, click the 8 pointed star in the top toolbar. Make sure to check for updates and apply any updates to libssl available.

A restart of all services is required after the update is applied, otherwise old libs are used for RAM. You can either restart by hand or reboot the whole system.