Page MenuHomePhabricator
Create Task
Maniphest T69564

Lots of servers are vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224)
Closed, ResolvedPublic
Actions

Description

Originally I posted this issue under Bug 53259, but I find more and more vulnerable sites, so I think it is more appropriate to move to a new bug report.

According to SSL Labs these servers are "vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224) and exploitable":

  • graphite.wikimedia.org
  • gdash.wikimedia.org
  • dumps.wikimedia.org
  • noc.wikimedia.org

These are vulnerable but probably not exploitable:

  • ganglia.wikimedia.org
  • lists.wikimedia.org

[1] https://www.ssllabs.com/ssltest/analyze.html?d=noc.wikimedia.org

Version: unspecified
Severity: normal
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=53259
https://rt.wikimedia.org/Ticket/Display.html?id=7806

Details

Reference
bz67564

Event Timeline

bzimport raised the priority of this task from to High.Nov 22 2014, 3:37 AM
bzimport added a project: HTTPS.
bzimport set Reference to bz67564.
bzimport added a subscriber: Unknown Object (MLST).
Chmarkine created this task.Jul 6 2014, 11:57 AM
JanZerebecki added a comment.Jul 6 2014, 12:11 PM

I reported your findings yesterday as RT 7806 and suggested that all hosts should be checked for missed libssl updates.

JanZerebecki added a comment.Jul 8 2014, 7:55 PM

All of those and some more are fixed now. See also https://bugzilla.wikimedia.org/show_bug.cgi?id=53259#c26 .

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL