|
|
'There is a new, remotely exploitable vulnerability in OpenSSL that could enable an attacker to intercept and decrypt traffic between vulnerable clients and servers. The flaw affects all versions of the OpenSSL client and versions 1.0.1 and 1.0.2-beta1 of the server software. The new vulnerability could only be exploited to decrypt traffic between a vulnerable client and a vulnerable server, and the attacker would need to have a man-in-the-middle position on a network in order to do so. That's not an insignificant set of conditions that must be present for a successful attack, but in the current environment, where open wireless networks are everywhere and many users connect to them without a second thought, gaining a MITM position is not an insurmountable hurdle. Researchers who have looked at the vulnerable piece of code say that it appears to have existed, nearly unchanged, in the OpenSSL source since 1998.'
|
|
|
If you're daft enough to do work over an open wireless network that's sufficiently sensitive in any way to require encryption then you deserve all you get IMHO.
Edited by billford (Thu 05-Jun-14 21:40:01)
|
|
|
|
in the current environment, where open wireless networks are everywhere, many users connect to them without a second thought
|
|
Register (or login) on our website and you will not see this ad.
|
|
|
Yes, I saw that� I see no reason to change a syllable of my comment.
|
|
|
|
You could remove the "if" to reflect reality.
|
|
|
Just in case anyone hasn't noticed, a new version, 1.0.1i, was released a week ago which includes number of security fixes.
|
|
|
Of course, it's not enough just to upgrade OpenSSL but any applications compiled with it need to be recompiled.
That is not quite accurate. The applications do not need to be recompiled - they just need to be restarted as this will cause them to pick up the new code.
Have you tried it with ISC BIND perchance?
Thought not 
|
|
|
OpenSSL 1.0.1j was released yesterday to fix another vulnerability.
|
|
|
|
Unless your version of Firefox is dynamically linked (mine isn't) then it's definitely not using the latest version of openssl that you installed.
|
|
|
OpenSSL 1.0.1k source code was released on 8th January and many distributions now have updated packages available too.
This isn't as serious a bug fix as the Heartbleed bug but it still contains eight fixes.
|
Pages in this thread: 
Print Thread
deleted
