Getting a grasp on Heartbleed and IDPs
Dave Perry
Dave.Perry at hull-college.ac.uk
Fri Apr 11 04:34:30 EDT 2014
We're using AJP under Apache - but being Novell SLES10 (SP4), there aren't super up to date versions on their official patching system.
I checked the OpenSSL version on our IdP and it's 0.9.8a (even after running a zypper update) - the secadv detail I saw said only 1.0.1 was vulnerable, so whilst I'd accept an older version should be updated I hope that's the IdP clear.
I will get the SPs (both windows, 2.5.2 I think - installed 6 mths ago) updated asap.
Dave
_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group
Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930
Please rate our service in the annual Libraries & eLearning User survey.
You could win a £15 Amazon voucher!
For staff - http://library.hull-college.ac.uk/staffsurvey
For students - http://library.hull-college.ac.uk/survey
-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: 10 April 2014 18:40
To: Shib Users
Subject: Re: Getting a grasp on Heartbleed and IDPs
On 4/10/14, 1:32 PM, "Ian Young" <ian at iay.org.uk> wrote:
>
>On 10 Apr 2014, at 18:25, Nate Klingenstein <ndk at internet2.edu> wrote:
>
>> Wherein Apache was protecting 8443, of course. Sorry. If you're a
>>Tomcat-only IdP deployment, your exposure from this vulnerability is
>>basically nil.
>
>I think we still have concerns that a Tomcat-only deployment may be
>vulnerable if it was configured to use the Apache Portable Runtime as
>an SSL accelerator, as it would mean that there was a live OpenSSL
>inside the same process as the JVM.
>
>If anyone has any definitive information about this either way it would
>be really helpful.
I don't have any information on the continued relevance of that option, but I can definitely say that if you use the APR connector for TLS in Tomcat (that's APR, not AJP, two different things), you would be subject to the issue if the version of OpenSSL was affected.
-- Scott
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
**********************************************************************
This message is sent in confidence for the addressee
only. It may contain confidential or sensitive
information. The contents are not to be disclosed
to anyone other than the addressee. Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission. Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College. Nothing in this
message should be construed as creating a contract.
Hull College owns the email infrastructure, including the contents.
Hull College is committed to sustainability, please reflect before printing this email.
**********************************************************************
TEXT
More information about the users
mailing list