<div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">2014-04-10 11:34 GMT+02:00 Mike Perkins <span dir="ltr"><<a href="mailto:mikep@randomtraveller.org.uk" target="_blank">mikep@randomtraveller.org.uk</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">On 10/04/14 03:39, Gary Buhrmaster wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
As far as impact, if one is using a throw-away password<br>
like "password", and is using it only on their mythweb server,<br>
the impact is low (the worst someone could do is probably<br>
delete your recordings, and it is only just TV :-). On the<br>
other hand, if it is using the same password as you use<br>
at your bank, or your secret password to access your<br>
evil lair, the impact could be higher. You can mitigate<br>
against that impact by changing your bank password<br>
(note: Unless your bank says they have fixed it already,<br>
you get to do it now, and then again after they have<br>
applied the patch), and change your password to access<br>
your secret lair from which you plan to launch the plan of<br>
world domination.<br>
<br>
</blockquote></div>
Er, no. If they can gain access to your /server/ it makes it at least possible for them to upload more malware, turning your server into a relay bot, etc.<br>
<br>
Fortunately I don't permit any internet-facing access to my machines, which is probably just as well. The number of devices I will have to update in the near future is mind-boggling.<br>
<br>
Apart from the usual servers, clients and workstations, one mustn't forget wireless access points, smart phones (when Apple/Samsung gets around to providing a fix), tablets, ereaders and set-top boxes, all of which likely run some OS which uses SSL!<span class="HOEnZb"><font color="#888888"><br>
<br>
-- <br>
<br>
Mike Perkins</font></span><div class="HOEnZb"><div class="h5"><br>
<br>
______________________________<u></u>_________________<br>
mythtv-users mailing list<br>
<a href="mailto:mythtv-users@mythtv.org" target="_blank">mythtv-users@mythtv.org</a><br>
<a href="http://www.mythtv.org/mailman/listinfo/mythtv-users" target="_blank">http://www.mythtv.org/mailman/<u></u>listinfo/mythtv-users</a><br>
<a href="http://wiki.mythtv.org/Mailing_List_etiquette" target="_blank">http://wiki.mythtv.org/<u></u>Mailing_List_etiquette</a><br>
MythTV Forums: <a href="https://forum.mythtv.org" target="_blank">https://forum.mythtv.org</a><br>
</div></div></blockquote></div><br></div><div class="gmail_extra">This is not a security discussion group, and I find that this discussion really has gone overboard. You have to upgrade openssl on your server IF you use apache and openssl to deliver any content on your mythtv server (for example mythweb). Changing passwords on the server is also recommended (if you are really paranoid, the chance that someone has targeted your mythtv server is slim to none, there are larger fish in the sea).</div>
<div class="gmail_extra"><br></div><div class="gmail_extra">Clients using openssl are not affected by this bugg, so smartphones, tablets, set-top boxes and the like (as long as they are not serving content with openssl, which few are doing), do not need to be upgraded. Openssh is not affected either. Your password and possibly your public key can be compromised, if you are worried about your password, change it. If you worry about someone getting your public key, then you don't understand how key generation and login work. </div>
<div class="gmail_extra"><br></div><div class="gmail_extra">The main thing is however that your server won't be compromised just because it is internet-facing and used an old version of openssl. Check your server logs to see if there are strange logins, change the password and you are fine!</div>
<div class="gmail_extra"><br></div><div class="gmail_extra">The problem is worse on all of our Internet services. You should really think about changing passwords there. And I can't imagine that there are any sysops that haven't upgraded openssl already....</div>
<div class="gmail_extra"><br></div><div class="gmail_extra">Regards</div><div class="gmail_extra"><br></div><div class="gmail_extra">Andréas</div></div>