On 04/09/2014 04:39 AM, Roger Dingledine wrote:> On Tue, Apr 08, 2014 at 07:31:43PM -0600, Jesse Victors wrote:

...

I'd recommend that every relay operator delete their keys as well,

Not every. Those on OpenSSL 0.9.8, e.g. because they're using

Debian

oldstable, were never vulnerable to this bug. I imagine there are

some

FreeBSD or the like people out there in a similar boat. And Centos people, etc.

--Roger

---

tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

The most up-to-date CentOS was supposedly vulnerable? Same as RedHat. But I don't know how to test for the vulnerability itself so I don't really know.

Redhat's emailed warning to update OpenSSL went out yesterday as "Security Advisory - RHSA-2014:0376-1". CentOS' updated OpenSSL was available right away as well, and the CentOS 6.5 boxes pulled it right down in an update.

I did have some slightly older CentOS 5 boxes which had a version of SSL that was reportedly not vulnerable.

Page heartbleed.com said:

How about operating systems?

Some operating system distributions that have shipped with potentially vulnerable OpenSSL version:

Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4 Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11 CentOS 6.5, OpenSSL 1.0.1e-15 Fedora 18, OpenSSL 1.0.1e-4 OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012) FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013 NetBSD 5.0.2 (OpenSSL 1.0.1e) OpenSUSE 12.2 (OpenSSL 1.0.1c)

Operating system distribution with versions that are not vulnerable:

Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14 SUSE Linux Enterprise Server FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013 FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013 FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)