OpenSSL CVE-2014-0160
- Thread starter yak983
- Start date
2014-04-08 09:29:38.332 [NOTICE] [AutoUpdate] Checking for new releases..., pid=24019
/usr/bin/wget -nv -O /lsws-4.2.9-std-x86_64-linux.tar.gz http://www.litespeedtech.com/packages/4.0/lsws-4.2.9-std-x86_64-linux.tar.gz
http://www.litespeedtech.com/packages/4.0/lsws-4.2.9-std-x86_64-linux.tar.gz:
2014-04-08 09:29:38 ERROR 404: Not Found.
/usr/bin/wget -nv -O /lsws-4.2.9-std-x86_64-linux.tar.gz http://www.litespeedtech.com/packages/4.0/lsws-4.2.9-std-x86_64-linux.tar.gz
http://www.litespeedtech.com/packages/4.0/lsws-4.2.9-std-x86_64-linux.tar.gz:
2014-04-08 09:29:38 ERROR 404: Not Found.
/usr/local/lsws/admin/misc/lsup.sh -f -v 4.2.9
2014-04-08 09:43:49.401 [NOTICE] [AutoUpdate] Checking for new releases..., pid= 16374
expr: syntax error
/usr/bin/wget -nv -O /usr/local/lsws/autoupdate/lsws-4.2.9--x86_64-linux.tar.gz http://www.litespeedtech.com/packages/4.0/lsws-4.2.9--x86_64-linux.tar.gz
http://www.litespeedtech.com/packages/4.0/lsws-4.2.9--x86_64-linux.tar.gz:
2014-04-08 09:43:50 ERROR 404: Not Found.
2014-04-08 09:43:49.401 [NOTICE] [AutoUpdate] Checking for new releases..., pid= 16374
expr: syntax error
/usr/bin/wget -nv -O /usr/local/lsws/autoupdate/lsws-4.2.9--x86_64-linux.tar.gz http://www.litespeedtech.com/packages/4.0/lsws-4.2.9--x86_64-linux.tar.gz
http://www.litespeedtech.com/packages/4.0/lsws-4.2.9--x86_64-linux.tar.gz:
2014-04-08 09:43:50 ERROR 404: Not Found.
Thanks for providing the patched update, however the Heartbleed test is failing with a timeout. This is probably a Heartbleed issue, but I wanted to post here and check if it's a problem with the Litespeed release?
EDIT: Just to confirm, it's definitely NOT timing out. Telnets to port 443 go through fine, I believe the "timeout" error just means the script can't interpret the response Litespeed is providing.
EDIT: Just to confirm, it's definitely NOT timing out. Telnets to port 443 go through fine, I believe the "timeout" error just means the script can't interpret the response Litespeed is providing.
We did yum update installed updates but still said VULNERABLE
Then we clicked we had litespeed installed so did the update to 4.2.9 now all we get on heartbleed test is timeout.
And one of our servers says this below on heartbleed test
Uh-oh, something went wrong:tls: oversized record received with length 20527
Then we clicked we had litespeed installed so did the update to 4.2.9 now all we get on heartbleed test is timeout.
And one of our servers says this below on heartbleed test
Uh-oh, something went wrong:tls: oversized record received with length 20527
Michael: I get the same timeout as JulesR after I upgraded to 4.2.9.
I use the Heartbleed CLI tool available here: https://github.com/FiloSottile/Heartbleed
Would like to confirm that this timeout is the expected response, for this test and a patch Litespeed.
Testing www.litespeedtech.com also returns a timeout, so at least we know all 4.2.9 install have the same behaviour.
I use the Heartbleed CLI tool available here: https://github.com/FiloSottile/Heartbleed
Would like to confirm that this timeout is the expected response, for this test and a patch Litespeed.
Testing www.litespeedtech.com also returns a timeout, so at least we know all 4.2.9 install have the same behaviour.
I agree that it's likely the timeout response means we are not vulnerable, however it would be great if we could determine why the tool is incompatible with Litespeed (why is it providing a different response than expected) and get to a stage where the tool can be used to confirm this. For people with many servers who may wish to bulk check, this will provide a lot of peace of mind.