FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Heartbleed bug?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Heartbleed bug? [message #185536 is a reply to message #185525] Wed, 09 April 2014 23:43 Go to previous messageGo to previous message
Adam Harvey is currently offline  Adam Harvey
Messages: 25
Registered: September 2010
Karma:
Junior Member
On Wed, 09 Apr 2014 05:24:02 -0700, Kevin Burton wrote:
> Anyone know how this bug http://heartbleed.com/ affects PHP when the
> extension is enabled? Is there a patch for the extension?

OpenSSL has released version 1.0.1g to fix the Heartbleed bug. Non-
Windows users generally don't need to update their PHP installation;
upgrading OpenSSL to a fixed version is sufficient. (All major Linux
distributions have now shipped OpenSSL updates.) The Windows PHP packages
distributed from windows.php.net _do_ include a local copy of OpenSSL,
and have been rebuilt today to include 1.0.1g: if you're using a package
from windows.php.net, you should upgrade immediately.

Once you've upgraded OpenSSL, restart your Web server, PHP-FPM if you're
using it, and any other PHP processes you have running.

Note that you may need to take additional action, depending on whether
you fit into one (or more) of the following categories:

1. You're running a HTTPS server.

If you're running a Web server that uses OpenSSL to provide SSL/TLS (eg
Apache, nginx, lighttpd), you'll need to upgrade OpenSSL, restart your
Web server, _and_ revoke your SSL certificates and have them reissued
with new private keys. (This last step is due to the nature of the bug:
it's possible for an attacker to have already captured your private key,
and even if you upgrade OpenSSL, they could then use that to decrypt your
secure traffic.)

You should probably suggest to your users that they change their
passwords as well, since it may have been possible for attackers to
extract those opportunistically from your PHP process's memory,
particularly if you're using something like mod_php where the SSL/TLS
negotiation happens in the same process as PHP is executed in.

2. You're connecting to secure servers from within PHP _and_ using client
certificates.

This is extremely rare (if you don't know whether you're using client
certificates, you're not), but if you have code that sets the
CURLOPT_SSLCERT option or the SSL local_cert context option, you'll want
to revoke and reissue your client certificate(s) with new private keys
once you've upgraded OpenSSL.

3. You wrote a secure socket server _in_ PHP. (My God, why?)

It's possible to write a secure socket server in PHP by using
stream_socket_server() with the ssl:// or tls:// protocol. If so, the fix
is similar to the first case: upgrade OpenSSL, restart all PHP processes,
and create new server certificates using new private keys.

Adam
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: cURL and response code 302
Next Topic: PHP Parse error: syntax error, unexpected '$sql' (T_VARIABLE) in
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sat Nov 30 23:47:01 GMT 2024

Total time taken to generate the page: 0.04247 seconds