[mythtv-users] the heartbleed openssl bug and mythtv
Ian Evans
dheianevans at gmail.com
Thu Apr 10 02:02:55 UTC 2014
On Wed, Apr 9, 2014 at 3:16 PM, Gary Buhrmaster
<gary.buhrmaster at gmail.com>wrote:
> On Wed, Apr 9, 2014 at 6:52 PM, Ian Evans <dheianevans at gmail.com> wrote:
> > Just a heads up that if you've made your mythbox accessible from the
> outside
> > via ssh or mythweb you may need to make sure your system isn't affected
> by
> > the recenlty discovered heartbleed security hole.
>
> Ok, it is worth pointing out that OpenSSH is *NOT* vulnerable
> to this vulnerability. While OpenSSH does use OpenSSL for
> some key generation functions, OpenSSH does not use TLS.
>
> Do not get an a panic about your OpenSSH server regarding
> this vulnerability.
>
> Do get your OpenSSL updates. For server admins, do
> regenerate your keys and get a new certificate from your CA
> (and while you are at it, consider implementing PFS). As
> a client, after you have verified your favorite web sites have
> updated, do change your passwords at those sites. Any/all
> passwords that are shared among any sites should be
> considered compromised. And if you are especially lazy,
> at least change the passwords on the sites that can really
> matter in your life and PII (banking, health care, etc.).
> _______________________________________________
>
If we do have an ssl-protected web-facing mythweb right now and don't have
time in the next day or so to take additional steps, should we at least
shutdown apache?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.mythtv.org/pipermail/mythtv-users/attachments/20140409/af2e72fe/attachment.html>
More information about the mythtv-users
mailing list