Subsonic Forum

[envoy510]

I have my server behind https. On a Mac. The server is "jetty-6.1.x, java 1.6.0_65, Mac OS X". Is it vulnerable?

[daneren2005]

Jetty (the servlet Subsonic uses) either uses OpenSSL and is vulnerable until the system is patched, or it uses it's own implementation and is probably fine. Either way though there is nothing you are any of us can do about it.

[daneren2005]

Use http://filippo.io/Heartbleed/ to test if you are vulnerable. I am behind a nginx proxy so I can't tell (which was until the patch that went out yesterday).

[envoy510]

Use http://filippo.io/Heartbleed/ to test if you are vulnerable. I am behind a nginx proxy so I can't tell (which was until the patch that went out yesterday).

I got "seems not affected"... thanks.

[snohio]

Thanks for the link!

Both my windows and Ubuntu servers got-
Uh-oh, something went wrong: tls: oversized record received with length 20527

(My Windows instance is retiring since it is on XP, so seems like as good time as any!)

[HerrNilsson]

Seems like my tomcat7 Ubuntu Server is vulnerable. I've patched Ubuntu Server, any ideas what i should patch to secure this?

[daneren2005]

Looking at http://security.stackexchange.com/quest ... omcat-nati makes it seem like you should just need to restart Tomcat after updating (all affected versions of Ubuntu except 13.04, which is unsupported, should be patched at this point if you update). I would just restart the entire computer though since it's almost impossible to know all the services which depend on OpenSSL, and they will all need to be restarted.

[HerrNilsson]

Correct. Patched and restarted and now it's safe.
Time to replace all certificates.