Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 158 replies
  • Subscribers 3 subscribers
  • Views 151391 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Timeline for patching SSL vulnerability (Heartbleed Bug)

strategicdata
Heatbleed Bug (CVE-2014-0160)

Hi

Is there any timeframe for patching this SSL/TLS bug for Astaro Security Gateway V8.
We are on the latest 8.311 (as V8 is an approved appliance for us and V9 is not).

Thanks


Heartbleed Bug
https://news.ycombinator.com/item?id=7548991


This thread was automatically locked due to age.
  • 0 in reply to Ákos Szalkai
    Cool, I just tried, right now we have a soft-released 9.110 and a hard(?)-released 9.111. [:@] The UTM's download 9.111 and don't download 9.110.  That was really worth two days of testing...

    Also there is no fix for 9.200 available yet.

    And there simply has to be some kind of detailed announcement from Sophos.  Why install immediately, what to do after installation.  The difficult part comes after installing the fix!!!


    I manually downloaded u2d-sys-9.109001-110022.tgz.gpg from the ftp and uploaded to webadmin. After installing this 9.111.7 also installs.

    Update: ftp://ftp.astaro.com/UTM/v9/up2date/u2d-sys-9.109001-110022.tgz.gpg
  • 0 in reply to DirkR
    If you choose to update to the latest version, with the UTM having downloaded 9.110 and 9.111, it fails...  error:

    2014:04:09-11:21:20 firewall-2 auisys[470]: Unpacking installation instructions
    2014:04:09-11:21:20 firewall-2 auisys[470]: >=========================================================================
    2014:04:09-11:21:20 firewall-2 auisys[470]: id="371J" severity="error" sys="system" sub="up2date" name="Fatal: Version conflict: required version: 9.110022  current version: 9.109001" status="failed" action="install" package="sys"
    2014:04:09-11:21:20 firewall-2 auisys[470]:


    Gonna try installing 9.110 manually first, then 9.111 ... this really should work properly though.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0
    yea same here, the Update was provided within the utm:

    severity="error" sys="system" sub="up2date" name="Fatal: Version conflict: required version: 9.110022  current version: 9.109001"
  • 0
    At one site, the 9.110 also loaded.  At two other sites, so far, only 9.111 arrived.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    I've scanned all the recent pages and can't see a link to the article on the issue so thought I'd post it:

    Advisory: Critical vulnerability found in OpenSSL affecting Sophos products

     - - - - - - - - - - - -

    Communities Moderator, SOPHOS
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to BAlfson
    Looks like for you guys with errors - you haven't gotten the middle version yet... and they don't jump.

    -Jim
  • 0
    I see why they did 2 days of QA on this.
  • 0 in reply to samy_01
    I've reported the issue... blew up my test cluster but good!

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BAlfson
    What ever happened to the alerting service Astaro created after the June 2010 virus pattern update disaster?  It appears that Sophos let that die.

    Cheers - Bob



    This is exactly what I have been looking up right now.

    Posted by Gert Hansen on May 7, 2010 6:01 PM
    ...
    3) We need to define better escalation procedures and inform our partners and customers more quickly using multiple, redundant communication channels. We will implement this.
    ...
    Once again, I offer my sincere apologies. I sincerely hope that you will accept them and allow us to prove ourselves as a trusted partner to your business going forward.


    In four years there has never been one warning via the implemented SMS alerting - OK, as there has not such a big problem since then. But not even now, during the most severe situation since then - probably since ever [:@]

    Sorry Sophos, but Astaro tried to do the right thing here, I don't know what happened to this system, but they had my trust in this. Doing a blog post after nearly everybody knew what is going on is really not good enough.
    But ok, Sophos is not Astaro. 

    I am disappointed by your communications strategy and how you handled this case.
  • 0 in reply to t-work
    Doing a blog post after nearly everybody knew what is going on is really not good enough.
    But ok, Sophos is not Astaro. 

    I am disappointed by your communications strategy and how you handled this case.


    AND the blog post isn't updated yet. Over an hour after the update was available.