Technical Discussion
  >> Security Related Issues


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | 3 | 4 | 5 | (show all)   Print Thread
Standard User billford
(elder) Tue 08-Apr-14 10:39:22
Print Post

OpenSSL vulnerability


[link to this post]
 
OpenSSL vulnerabilities

This page lists all security vulnerabilities fixed in released versions of OpenSSL since 0.9.6a was released on 5th April 2001.

2014

CVE-2014-0160: 7th April 2014
A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64kB of memory to a connected client or server. This issue did not affect versions of OpenSSL prior to 1.0.1. Reported by Neel Mehta.
Fixed in OpenSSL 1.0.1g (Affected 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)

In reference to heartbleed.com:
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.


Bill
A level playing field is level in both directions.

__________Fold at Home_________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User bobble_bob
(fountain of knowledge) Tue 08-Apr-14 16:19:33
Print Post

Re: OpenSSL vulnerability


[re: billford] [link to this post]
 
As serious as some of these are, ive given up caring too much about the latest vulnerability in whatever software/hardware. Scares you to death . Obly way to be safe is unplug your router
Standard User caffn8me
(knowledge is power) Wed 09-Apr-14 04:18:43
Print Post

Re: OpenSSL vulnerability


[re: bobble_bob] [link to this post]
 
In reply to a post by bobble_bob:
Obly way to be safe is unplug your router
...and wear a tin foil hat wink

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs


Register (or login) on our website and you will not see this ad.

Standard User RobertoS
(sensei) Wed 09-Apr-14 11:12:59
Print Post

Re: OpenSSL vulnerability


[re: billford] [link to this post]
 
Ha! I was just about to post the link in the Web/hosting forum, seeing as Andrew doesn't think it warrants an article at this stage. I think it relates mainly to people here running servers.

That forum looks dead though, so I checked here and found this smile.

My broadband basic info/help site - www.robertos.me.uk | Domains,site and mail hosting - Tsohost.
Connection - Plusnet UnLim Fibre (FTTC). Sync ~ 58.7/14.6Mbps @ 600m. - BQM

"Where talent is a dwarf, self-esteem is a giant." - Jean-Antoine Petit-Senn.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Allergy information: This post was manufactured in an environment where nuts are present. It may include traces of understatement, litotes and humour.
Standard User caffn8me
(knowledge is power) Wed 09-Apr-14 12:02:40
Print Post

Re: OpenSSL vulnerability


[re: RobertoS] [link to this post]
 
Of course, it's not enough just to upgrade OpenSSL but any applications compiled with it need to be recompiled.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User Ignitionnet
(knowledge is power) Wed 09-Apr-14 12:41:44
Print Post

Re: OpenSSL vulnerability


[re: billford] [link to this post]
 
I am rather grateful for the 0.9.8 version running on the relevant equipment here.

That is nasty and without a doubt the largest security vulnerability to affect the Internet in a very, very long time.
Standard User billford
(elder) Wed 09-Apr-14 12:52:38
Print Post

Re: OpenSSL vulnerability


[re: Ignitionnet] [link to this post]
 
I was rather surprised to read that it was a failure to perform bounds checking, you'd have thought that internet programmers would have learned the lesson by now- it's not exactly the first time errors like that have led to security holes crazy

Bill
A level playing field is level in both directions.

__________Fold at Home_________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User greenglide
(experienced) Wed 09-Apr-14 14:40:33
Print Post

Re: OpenSSL vulnerability


[re: billford] [link to this post]
 
I am still waiting for the first email purporting to code from Nat West / Santander / TSB / "random bank name" telling me to reset my password by clicking here ....

Got an email at work which forward the official HMG warning about it and request for emergency impact. Scary, very scary.

BT Infinity 2 - IP profile 77 / 20 - super fast!
Previously BE Unlimited - 21,000 Download 1,200 Upload but then moved house - 6,500 Down, 1Mb/s up - gutted!
Ex <n>ildram , been to SKY MAX - 15,225 Download
Standard User billford
(elder) Wed 09-Apr-14 15:00:33
Print Post

Re: OpenSSL vulnerability


[re: greenglide] [link to this post]
 
The Beeb are at it too:
Heartbleed Bug: Public urged to reset all passwords


Bill
A level playing field is level in both directions.

__________Fold at Home_________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User asrdesigns
(newbie) Wed 09-Apr-14 15:48:14
Print Post

Re: OpenSSL vulnerability


[re: billford] [link to this post]
 
So, is there any chance that this applies to our SOHO modem / routers? I read some folks saying it's only the web servers themselves that are vulnerable (which I'm inclined to not beleive) and the contrary view it affects anything with SSL traffic passing through it (which seems to me to be more plausible). Nothing on ISP web sites one way of the other, and a Tech Support guy I've just spoken to at my ISP had not even heard of HeartBleed.
Standard User billford
(elder) Wed 09-Apr-14 15:56:29
Print Post

Re: OpenSSL vulnerability


[re: asrdesigns] [link to this post]
 
As far as I know, it only affects anything running as a server and using encryption as mentioned in the second quote of the OP.

I don't think it applies to SOHO modems/routers.

But my knowledge in this area is very limited, hopefully someone more expert will comment.

Bill
A level playing field is level in both directions.

__________Fold at Home_________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User Pipexer
(eat-sleep-adslguide) Wed 09-Apr-14 16:00:40
Print Post

Re: OpenSSL vulnerability


[re: asrdesigns] [link to this post]
 
In reply to a post by asrdesigns:
So, is there any chance that this applies to our SOHO modem / routers?

Not in the manner you are thinking of, no. It may effect the web server service running on your router for remote management, but you probably shouldn't have that exposed to the internet anyway because we all know how poor home/SOHO router manufacturers are at producing secure management for their routers.

Zen 8000 Pro
Standard User caffn8me
(knowledge is power) Wed 09-Apr-14 20:03:41
Print Post

Re: OpenSSL vulnerability


[re: billford] [link to this post]
 
In reply to a post by billford:
I don't think it applies to SOHO modems/routers.
Many routers running open source based firmware will be affected. Some DD-WRT versions certainly are.

It also seems that many Cisco products have OpenSSL at their core;

http://tools.cisco.com/security/center/content/Cisco...

I am sure there are more manufacturers unsing OpenSSL.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs

Edited by caffn8me (Wed 09-Apr-14 20:08:23)

Standard User billford
(elder) Wed 09-Apr-14 20:06:07
Print Post

Re: OpenSSL vulnerability


[re: billford] [link to this post]
 
Just a little bit of re-assurance for the nervous:
It seems the bug has been in OpenSSL for 2+ years (since December 2011, OpenSSL versions 1.0.1 through 1.0.1f) before its publicly announced discovery today.


Bill
A level playing field is level in both directions.

__________Fold at Home_________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User billford
(elder) Wed 09-Apr-14 20:18:23
Print Post

Re: OpenSSL vulnerability


[re: caffn8me] [link to this post]
 
Glad I can't afford a Cisco router smile

Saw this site mentioned if anyone wants to check out a site they use, but no idea how reliable the result are.

Bill
A level playing field is level in both directions.

__________Fold at Home_________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User caffn8me
(knowledge is power) Wed 09-Apr-14 20:57:44
Print Post

Re: OpenSSL vulnerability


[re: billford] [link to this post]
 
..but if Cisco are using OpenSSL you can bet other manufacturers are. I know Sun Microsystems did.

To reassure folks a little bit;
A researcher at the University of Cambridge Computer Laboratory said it would be an overreaction to say everyone should drop what they are doing to reset all their passwords, but that those concerned should still act.

"I think there is a low to medium risk that any given password has been compromised," said Dr Steven Murdoch.

"It's not the same as previous breaches where there's been confirmed password lists posted to the internet. It's not as urgent as that.


Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs

Edited by caffn8me (Wed 09-Apr-14 20:59:17)

Administrator MrSaffron
(staff) Wed 09-Apr-14 21:47:25
Print Post

Re: OpenSSL vulnerability


[re: caffn8me] [link to this post]
 
All depends on what version of openSSL was used by the website too

Andrew Ferguson, [email protected]
www.thinkbroadband.com - formerly known as ADSLguide.org.uk
The author of the above post is a thinkbroadband staff member. It may not constitute an official statement on behalf of thinkbroadband.
Standard User caffn8me
(knowledge is power) Wed 09-Apr-14 23:56:21
Print Post

Re: OpenSSL vulnerability


[re: MrSaffron] [link to this post]
 
It does indeed. I've checked all the secure websites I use and none is affected as none uses OpenSSL. My own servers, which would have been affected, currently aren't running HTTPS

I do run SSH on numerous servers that had the previous vulnerable version of OpenSSL but they are firewalled to allow SSH access only from specific locations (in two cases only on private IP addresses via VPN)

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User bobble_bob
(fountain of knowledge) Thu 10-Apr-14 00:16:23
Print Post

Re: OpenSSL vulnerability


[re: billford] [link to this post]
 
Do all secure sites use SSL?

As looking on https://github.com/musalbas/heartbleed-masstest/blob... it says


live.com... no SSL


however live.com is a secure site
Standard User Ignitionnet
(knowledge is power) Thu 10-Apr-14 03:02:54
Print Post

Re: OpenSSL vulnerability


[re: bobble_bob] [link to this post]
 
Yes. SSL/TLS is the standard.

live.com negotiated TLS 1.0 with my browser.
Standard User bobble_bob
(fountain of knowledge) Thu 10-Apr-14 06:06:32
Print Post

Re: OpenSSL vulnerability


[re: billford] [link to this post]
 
No point resetting anything until the server are patched on everything you use
Standard User billford
(elder) Thu 10-Apr-14 06:29:28
Print Post

Re: OpenSSL vulnerability


[re: bobble_bob] [link to this post]
 
And it could happen (if Lady Luck was having an off day) that logging in to change your password would also disclose your new password...

Bill
A level playing field is level in both directions.

__________Fold at Home_________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User bobble_bob
(fountain of knowledge) Thu 10-Apr-14 06:31:20
Print Post

Re: OpenSSL vulnerability


[re: Ignitionnet] [link to this post]
 
2 step verification seems most secure way atm. Although it has been possible to bypass it it makes it alot harder to
Administrator MrSaffron
(staff) Thu 10-Apr-14 09:56:11
Print Post

Re: OpenSSL vulnerability


[re: billford] [link to this post]
 
Along with other security phrases that password updates sometimes ask for......

Andrew Ferguson, [email protected]
www.thinkbroadband.com - formerly known as ADSLguide.org.uk
The author of the above post is a thinkbroadband staff member. It may not constitute an official statement on behalf of thinkbroadband.
Standard User billford
(elder) Thu 10-Apr-14 10:08:13
Print Post

Re: OpenSSL vulnerability


[re: MrSaffron] [link to this post]
 
A day is always well started by spreading a little alarm and despondency grin

Bill
A level playing field is level in both directions.

__________Fold at Home_________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User bobble_bob
(fountain of knowledge) Thu 10-Apr-14 10:35:39
Print Post

Re: OpenSSL vulnerability


[re: billford] [link to this post]
 
Do wonder if this has been exploited yet. Been around for 2 years and apart ftom Yahoo accounts being compromised a fair bit, doesn't appear to be many reports of other sites suffering large scale account conpromises
Standard User Kper
(member) Thu 10-Apr-14 11:49:45
Print Post

Re: OpenSSL vulnerability


[re: bobble_bob] [link to this post]
 
In reply to a post by bobble_bob:
No point resetting anything until the server are patched on everything you use


Exactly. Could be counter-productive, in fact, exposing both old and new passwords.

Here's how it works.

Android 4.1.1 is vulnerable, so, reversing the attack, a malicious server could be used to extract passwords from your phone.

Scarily, we found our hosting and email providers' tech support to be totally clueless. Less scarily, though, it looks like their real tech people have already fixed most things and put measures in place to block the exploit whilst they fix the rest.
Standard User Ignitionnet
(knowledge is power) Thu 10-Apr-14 12:14:34
Print Post

Re: OpenSSL vulnerability


[re: bobble_bob] [link to this post]
 
Right I've had a bit more time.

live.com does indeed not have SSL - it uses an HTTP 301 redirect. The redirect goes to another non-SSL site, which is a load balanced front end for mail.live.com which is itself an alias of www.live.com. That site finally pushes the client to login.live.com, another alias, which is HTTPS:

TLSv1 Record Layer: Handshake Protocol: Multiple Handshake Messages
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)

Probably the amount of redirects confused the tester, it was likely expecting no more than a single redirect via an HTTP 301 to a secure site.
Standard User bobble_bob
(fountain of knowledge) Thu 10-Apr-14 12:20:47
Print Post

Re: OpenSSL vulnerability


[re: Ignitionnet] [link to this post]
 
How long realistically would it take all the major sites (email, banks etc) to update their servers?

No point changing passwords until they do
Administrator MrSaffron
(staff) Thu 10-Apr-14 13:20:27
Print Post

Re: OpenSSL vulnerability


[re: bobble_bob] [link to this post]
 
http://www.telegraph.co.uk/technology/internet-secur...

Is a nice clear and easy to follow list, not perfect for the average human keeps it simple.

Andrew Ferguson, [email protected]
www.thinkbroadband.com - formerly known as ADSLguide.org.uk
The author of the above post is a thinkbroadband staff member. It may not constitute an official statement on behalf of thinkbroadband.
Standard User XRaySpeX
(eat-sleep-adslguide) Thu 10-Apr-14 22:03:11
Print Post

Re: OpenSSL vulnerability


[re: MrSaffron] [link to this post]
 
Couldn't care a fig about my FB pwd; it's trivia and unimportant. So what if someone get's in; they can't buy anything on my CC grin.

As long as my banks, Amazon & PayPal are unaffected , and they are. Most banks do not depend on a typed pwd alone. They use a PIN reader and drop-down pwd chars to do at least new transactions.

1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC
Standard User ian72
(knowledge is power) Fri 11-Apr-14 08:44:38
Print Post

Re: OpenSSL vulnerability


[re: XRaySpeX] [link to this post]
 
Presumably you are one of the sensible people that doesn't use the same password on FB as on any other sites? A lot of people the issue is they use the same password so if one gets compromised they all do.
Standard User BatBoy
(legend) Fri 11-Apr-14 18:58:13
Print Post

Re: OpenSSL vulnerability


[re: caffn8me] [link to this post]
 
In reply to a post by caffn8me:
Many routers running open source based firmware will be affected. Some DD-WRT versions certainly are.
It also seems that many Cisco products have OpenSSL at their core;
http://tools.cisco.com/security/center/content/Cisco...
I am sure there are more manufacturers unsing OpenSSL.
Well, the open source programmer has been identified but seems unwilling to take the blame for a fairly obvious schoolboy error
I was working on a research project at the University of Münster using the OpenSSL encryption library and releasing bug fixes and new features that were developed as part of my work on the OpenSSL project. The various changes were checked by a member of the OpenSSL development team and then incorporated into the official code. In connection with one extension, the TLS/DTLS Heartbeat extension, I failed to check that one particular variable, a unit of length, contained a realistic value. This is what caused the bug, called Heartbleed after the extension. Unfortunately, the OpenSSL developer who reviewed the code also did not notice that a mistake had been made when carrying out the check. As a result, the faulty code was incorporated into the development version, which was later officially released.
This shows the vulnerability of Open Source development, where some inexperienced schoolboy becomes responsible for the maintenance of an important piece of software with no apparent skill or experience, no formal testing other than "it works" and no formal reviews.


______________________________________________________________________________________False_Authority_Syndrome__________________
Standard User flippery
(committed) Fri 11-Apr-14 19:21:29
Print Post

Re: OpenSSL vulnerability


[re: BatBoy] [link to this post]
 
In reply to a post by BatBoy:
In reply to a post by caffn8me:
Many routers running open source based firmware will be affected. Some DD-WRT versions certainly are.
It also seems that many Cisco products have OpenSSL at their core;
http://tools.cisco.com/security/center/content/Cisco...
I am sure there are more manufacturers unsing OpenSSL.
Well, the open source programmer has been identified but seems unwilling to take the blame for a fairly obvious schoolboy error
I was working on a research project at the University of Münster using the OpenSSL encryption library and releasing bug fixes and new features that were developed as part of my work on the OpenSSL project. The various changes were checked by a member of the OpenSSL development team and then incorporated into the official code. In connection with one extension, the TLS/DTLS Heartbeat extension, I failed to check that one particular variable, a unit of length, contained a realistic value. This is what caused the bug, called Heartbleed after the extension. Unfortunately, the OpenSSL developer who reviewed the code also did not notice that a mistake had been made when carrying out the check. As a result, the faulty code was incorporated into the development version, which was later officially released.
This shows the vulnerability of Open Source development, where some inexperienced schoolboy becomes responsible for the maintenance of an important piece of software with no apparent skill or experience, no formal testing other than "it works" and no formal reviews.


Hmm
Major suppliers use as part of kit, most likely as a cost saving exercise, Without resorting to any testing procedures or 2 part logins.
Schollboy errors have been made by many major software companies, including one I worked for,
The likes of google facebook and yahoo are the guilty ones. Worth billions but spend peanuts on securityl
Standard User BatBoy
(legend) Fri 11-Apr-14 19:27:39
Print Post

Re: OpenSSL vulnerability


[re: flippery] [link to this post]
 
It's easy to blame everybody else for a coding error. The fact is, this code should never have gone live - look at the damage!


______________________________________________________________________________________False_Authority_Syndrome__________________
Standard User grahammm
(member) Sat 26-Apr-14 12:20:43
Print Post

Re: OpenSSL vulnerability


[re: caffn8me] [link to this post]
 
In reply to a post by caffn8me:
Of course, it's not enough just to upgrade OpenSSL but any applications compiled with it need to be recompiled.


That is not quite accurate. The applications do not need to be recompiled - they just need to be restarted as this will cause them to pick up the new code.
Standard User XRaySpeX
(eat-sleep-adslguide) Sat 26-Apr-14 13:04:37
Print Post

Re: OpenSSL vulnerability


[re: grahammm] [link to this post]
 
Ah, the beauty of DLLs!

1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC
Standard User BatBoy
(legend) Sat 26-Apr-14 13:05:47
Print Post

Re: OpenSSL vulnerability


[re: XRaySpeX] [link to this post]
 
As long as they're not static.


______________________________________________________________________________________False_Authority_Syndrome__________________
Standard User gomezz
(eat-sleep-adslguide) Sat 26-Apr-14 16:04:11
Print Post

Re: OpenSSL vulnerability


[re: BatBoy] [link to this post]
 
How can they be static if they are a *Dynamic* Link Library?

BT Infinity 1 (unlimited)
Standard User XRaySpeX
(eat-sleep-adslguide) Sat 26-Apr-14 16:51:58
Print Post

Re: OpenSSL vulnerability


[re: gomezz] [link to this post]
 
He could be referring to the fact that some libraries are issued in both DLL & static form and some OpenSSL s/ware might use the static one. His 'it' might mean the OpenSLL app.

1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC
Standard User BatBoy
(legend) Thu 05-Jun-14 21:27:44
Print Post

Re: OpenSSL vulnerability


[re: billford] [link to this post]
 
'There is a new, remotely exploitable vulnerability in OpenSSL that could enable an attacker to intercept and decrypt traffic between vulnerable clients and servers. The flaw affects all versions of the OpenSSL client and versions 1.0.1 and 1.0.2-beta1 of the server software. The new vulnerability could only be exploited to decrypt traffic between a vulnerable client and a vulnerable server, and the attacker would need to have a man-in-the-middle position on a network in order to do so. That's not an insignificant set of conditions that must be present for a successful attack, but in the current environment, where open wireless networks are everywhere and many users connect to them without a second thought, gaining a MITM position is not an insurmountable hurdle. Researchers who have looked at the vulnerable piece of code say that it appears to have existed, nearly unchanged, in the OpenSSL source since 1998.'



______________________________________________________________________________________False_Authority_Syndrome__________________
Standard User billford
(elder) Thu 05-Jun-14 21:38:49
Print Post

Re: OpenSSL vulnerability


[re: BatBoy] [link to this post]
 
If you're daft enough to do work over an open wireless network that's sufficiently sensitive in any way to require encryption then you deserve all you get IMHO.

Bill
A level playing field is level in both directions.

__________Fold at Home_________________Planes and Boats and ... ______________BQMs: IPv4 IPv6

Edited by billford (Thu 05-Jun-14 21:40:01)

Standard User BatBoy
(legend) Thu 05-Jun-14 22:03:54
Print Post

Re: OpenSSL vulnerability


[re: billford] [link to this post]
 
in the current environment, where open wireless networks are everywhere, many users connect to them without a second thought


______________________________________________________________________________________False_Authority_Syndrome__________________
Standard User billford
(elder) Thu 05-Jun-14 22:07:45
Print Post

Re: OpenSSL vulnerability


[re: BatBoy] [link to this post]
 
Yes, I saw that… I see no reason to change a syllable of my comment.

Bill
A level playing field is level in both directions.

__________Fold at Home_________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User BatBoy
(legend) Thu 05-Jun-14 22:37:30
Print Post

Re: OpenSSL vulnerability


[re: billford] [link to this post]
 
You could remove the "if" to reflect reality.


______________________________________________________________________________________False_Authority_Syndrome__________________
Standard User caffn8me
(knowledge is power) Wed 13-Aug-14 05:27:32
Print Post

Re: OpenSSL vulnerability


[re: billford] [link to this post]
 
Just in case anyone hasn't noticed, a new version, 1.0.1i, was released a week ago which includes number of security fixes.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User caffn8me
(knowledge is power) Wed 13-Aug-14 06:30:24
Print Post

Re: OpenSSL vulnerability


[re: grahammm] [link to this post]
 
In reply to a post by grahammm:
In reply to a post by caffn8me:
Of course, it's not enough just to upgrade OpenSSL but any applications compiled with it need to be recompiled.


That is not quite accurate. The applications do not need to be recompiled - they just need to be restarted as this will cause them to pick up the new code.
Have you tried it with ISC BIND perchance?

Thought not wink

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User caffn8me
(knowledge is power) Thu 16-Oct-14 13:40:54
Print Post

Re: OpenSSL vulnerability


[re: caffn8me] [link to this post]
 
OpenSSL 1.0.1j was released yesterday to fix another vulnerability.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User jasmeencress
(newbie) Sat 25-Oct-14 08:19:46
Print Post

Re: OpenSSL vulnerability


[re: billford] [link to this post]
 
Unless your version of Firefox is dynamically linked (mine isn't) then it's definitely not using the latest version of openssl that you installed.
Standard User caffn8me
(knowledge is power) Sun 11-Jan-15 12:54:51
Print Post

Re: OpenSSL vulnerability


[re: caffn8me] [link to this post]
 
OpenSSL 1.0.1k source code was released on 8th January and many distributions now have updated packages available too.

This isn't as serious a bug fix as the Heartbleed bug but it still contains eight fixes.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Pages in this thread: 1 | 2 | 3 | 4 | 5 | (show all)   Print Thread

Jump to