Difference between revisions of "Live GIS Disc Press Release 49"

From OSGeo
Jump to navigation Jump to search
Line 1: Line 1:
= OSGeo-Live and Heartbleed vulnerability=
+
= OSGeo-Live and HeartBleed vulnerability=
  
 
14 April 2014
 
14 April 2014
  
The [http://heartbleed.com/ Heartbleed Bug], (what is HeartBleed), (how much does it affect the OSGeo Live apps, and how)
+
The [http://heartbleed.com/ Heartbleed Bug] - described in [http://www.ubuntu.com/usn/usn-2165-1/ this Ubuntu Security Note] - is a serious security exposure, and the relevant software components are shipped on the OSGeoLive from version 6.0 to the present. Please read the following text carefully, and apply to your own OSGeoLive usage as appropriate.
  
(OSGeoLive disclaimer regarding production setup)
+
As described in many widely available posts on the Internet, the HeartBleed vulnerability is exposed when network software  uses the Transport Layer Security (TLS) feature built on top of a current version of the encryption library openssl. The fix to the vulnerability is to upgrade the openssl package via the Ubuntu/Debian apt mechanism.
 +
 
 +
No software on the OSGeoLive is configured to serve network connections using TLS "out of the box." However, some software (such as QGis) which provide WMS connectivity to other network services, may create a reverse-vulnerability when a secure connection is established. By patching your OSGeoLive openssl library, you can close that reverse-exposure.
 +
 
 +
Please note that the OSGeoLive project does not recommend using the Live "as-is" for production deployment on the Internet.
 +
 
 +
The OSGeoLive project recommends that all installed versions of an affected OSGeoLive release follow at a minimum, these steps:
 +
 
 +
 +
All users of OSGeo Live from versions 6.0 to the present 7.9 release are strongly encouraged to apply software updates to any installed system
  
(recommendation to OSGeo Live install users)
 
  
 
==OSGeo-Live releases effected include==
 
==OSGeo-Live releases effected include==

Revision as of 07:48, 13 April 2014

OSGeo-Live and HeartBleed vulnerability

14 April 2014

The Heartbleed Bug - described in this Ubuntu Security Note - is a serious security exposure, and the relevant software components are shipped on the OSGeoLive from version 6.0 to the present. Please read the following text carefully, and apply to your own OSGeoLive usage as appropriate.

As described in many widely available posts on the Internet, the HeartBleed vulnerability is exposed when network software uses the Transport Layer Security (TLS) feature built on top of a current version of the encryption library openssl. The fix to the vulnerability is to upgrade the openssl package via the Ubuntu/Debian apt mechanism.

No software on the OSGeoLive is configured to serve network connections using TLS "out of the box." However, some software (such as QGis) which provide WMS connectivity to other network services, may create a reverse-vulnerability when a secure connection is established. By patching your OSGeoLive openssl library, you can close that reverse-exposure.

Please note that the OSGeoLive project does not recommend using the Live "as-is" for production deployment on the Internet.

The OSGeoLive project recommends that all installed versions of an affected OSGeoLive release follow at a minimum, these steps:


All users of OSGeo Live from versions 6.0 to the present 7.9 release are strongly encouraged to apply software updates to any installed system


OSGeo-Live releases effected include

OSGeo-Live releases based on Ubuntu 12.04 are effected. This includes versions:

  • 6.0
  • 6.5
  • 7.0
  • 7.9

How to Fix

The following commands run from the command line will address the patch: