Technical Discussion
  >> Security Related Issues


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | 3 | 4 | [5] | (show all)   Print Thread
Standard User BatBoy
(legend) Thu 05-Jun-14 21:27:44
Print Post

Re: OpenSSL vulnerability


[re: billford] [link to this post]
 
'There is a new, remotely exploitable vulnerability in OpenSSL that could enable an attacker to intercept and decrypt traffic between vulnerable clients and servers. The flaw affects all versions of the OpenSSL client and versions 1.0.1 and 1.0.2-beta1 of the server software. The new vulnerability could only be exploited to decrypt traffic between a vulnerable client and a vulnerable server, and the attacker would need to have a man-in-the-middle position on a network in order to do so. That's not an insignificant set of conditions that must be present for a successful attack, but in the current environment, where open wireless networks are everywhere and many users connect to them without a second thought, gaining a MITM position is not an insurmountable hurdle. Researchers who have looked at the vulnerable piece of code say that it appears to have existed, nearly unchanged, in the OpenSSL source since 1998.'



______________________________________________________________________________________False_Authority_Syndrome__________________
Standard User billford
(elder) Thu 05-Jun-14 21:38:49
Print Post

Re: OpenSSL vulnerability


[re: BatBoy] [link to this post]
 
If you're daft enough to do work over an open wireless network that's sufficiently sensitive in any way to require encryption then you deserve all you get IMHO.

Bill
A level playing field is level in both directions.

__________Fold at Home_________________Planes and Boats and ... ______________BQMs: IPv4 IPv6

Edited by billford (Thu 05-Jun-14 21:40:01)

Standard User BatBoy
(legend) Thu 05-Jun-14 22:03:54
Print Post

Re: OpenSSL vulnerability


[re: billford] [link to this post]
 
in the current environment, where open wireless networks are everywhere, many users connect to them without a second thought


______________________________________________________________________________________False_Authority_Syndrome__________________


Register (or login) on our website and you will not see this ad.

Standard User billford
(elder) Thu 05-Jun-14 22:07:45
Print Post

Re: OpenSSL vulnerability


[re: BatBoy] [link to this post]
 
Yes, I saw thatů I see no reason to change a syllable of my comment.

Bill
A level playing field is level in both directions.

__________Fold at Home_________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User BatBoy
(legend) Thu 05-Jun-14 22:37:30
Print Post

Re: OpenSSL vulnerability


[re: billford] [link to this post]
 
You could remove the "if" to reflect reality.


______________________________________________________________________________________False_Authority_Syndrome__________________
Standard User caffn8me
(knowledge is power) Wed 13-Aug-14 05:27:32
Print Post

Re: OpenSSL vulnerability


[re: billford] [link to this post]
 
Just in case anyone hasn't noticed, a new version, 1.0.1i, was released a week ago which includes number of security fixes.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User caffn8me
(knowledge is power) Wed 13-Aug-14 06:30:24
Print Post

Re: OpenSSL vulnerability


[re: grahammm] [link to this post]
 
In reply to a post by grahammm:
In reply to a post by caffn8me:
Of course, it's not enough just to upgrade OpenSSL but any applications compiled with it need to be recompiled.


That is not quite accurate. The applications do not need to be recompiled - they just need to be restarted as this will cause them to pick up the new code.
Have you tried it with ISC BIND perchance?

Thought not wink

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User caffn8me
(knowledge is power) Thu 16-Oct-14 13:40:54
Print Post

Re: OpenSSL vulnerability


[re: caffn8me] [link to this post]
 
OpenSSL 1.0.1j was released yesterday to fix another vulnerability.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User jasmeencress
(newbie) Sat 25-Oct-14 08:19:46
Print Post

Re: OpenSSL vulnerability


[re: billford] [link to this post]
 
Unless your version of Firefox is dynamically linked (mine isn't) then it's definitely not using the latest version of openssl that you installed.
Standard User caffn8me
(knowledge is power) Sun 11-Jan-15 12:54:51
Print Post

Re: OpenSSL vulnerability


[re: caffn8me] [link to this post]
 
OpenSSL 1.0.1k source code was released on 8th January and many distributions now have updated packages available too.

This isn't as serious a bug fix as the Heartbleed bug but it still contains eight fixes.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Pages in this thread: 1 | 2 | 3 | 4 | [5] | (show all)   Print Thread

Jump to