I have done manual patches of OpenSSL on systems that were not otherwise
upgradeable.  It usually works okay, but it depends on the distro and the
particular openSSL libraries they're looking for.  This is why all of the
libraries symlink to .so.1 and .so versions.  Usually this works fine ...
sometimes it doesn't and it's going to depend on the specific apps that
need SSL.  The process is generally to download the source package (.srpm
in the RH world) and load a more modern source tarball and adjust the SPEC
file or whatever is being used for DPKG.  Then you build it with a
different version number to avoid conflicts.  Not hard in general.  Really
hard if you've never done it before.

I have also tested the heartbleed attack and was able to get data.  As
everyone says, the data you get is random.  You can, in theory, get private
data but what sort of data and how much is very use-case dependent.



On Wed, Jul 26, 2017 at 11:17 AM, Iznogoud <iznogoud at nobelware.com> wrote:

> This is the description of the issue:
>
> https://en.wikipedia.org/wiki/Heartbleed
> http://heartbleed.com/
>
> I know this is old news to everyone here. My question is: has anyone in
> here
> patched their distribution themselves?
>
> I just realized that one of my systems has a vulnerable OpenSSL version.
> (No, I
> will not just upgrade the distribution at this point.)
>
> i also would be interested to hear from anyone who tried the attack on
> their
> own system for educational purposes. Apparently it does not leave anything
> damaged.
>
> _______________________________________________
> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
> tclug-list at mn-linux.org
> http://mailman.mn-linux.org/mailman/listinfo/tclug-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.mn-linux.org/pipermail/tclug-list/attachments/20170726/66ec148b/attachment.html>