new ssl breach
Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free American and do not reflect the opinions of any person or company that I have had professional relations with in the past 59 years. meep |
|
|
Only if running 6.X
There was an update for 5.X on TLS a couple days ago. -- greg@gregfolkert.net "No snowflake in an avalanche ever feels responsible." --Stanislaw Jerzy Lec |
|
|
a lot of the nix are affected
Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free American and do not reflect the opinions of any person or company that I have had professional relations with in the past 59 years. meep |
|
|
I don;t doubt that. But you've only...
Linked to the RH sources. Yes it shows the CVE, but it would have been nice to have it here in one click rather than 2 and a ton of incessant RedHat blather. -- greg@gregfolkert.net "No snowflake in an avalanche ever feels responsible." --Stanislaw Jerzy Lec |
|
|
A more general story about it.
http://www.androidpolice.com/2014/06/05/heartbleed-fallout-continues-openssl-team-publishes-and-patches-7-more-vulnerabilities-some-serious/ It seems that ever since the Heartbleed bug was published earlier this Spring, OpenSSL just hasn't been able to catch a break. Today, it was announced that seven additional vulnerabilities had been discovered affecting OpenSSL 0.9.8, 1.0.0, 1.0.1, and 1.0.2 (meaning all versions, basically). Cheers, Scott. |
|
|
It is finally a great thing...
The whole project is getting the needed influx of attention. It has been languishing for a while. gnuTLS has been also. I really hate the computing industry now... coupled with PCI compliance, HIPPA, SAS70... and other reqs... it has become a landmine buffet. -- greg@gregfolkert.net "No snowflake in an avalanche ever feels responsible." --Stanislaw Jerzy Lec |
|
|
I heard...
that the OpenSSL codebase is a real dog's breakfast. Fixing it up is a mammoth task. I also heard that the latest problem was traced back to the same programmer who did the Heartbleed one. Oops. Wade. Just Add Story http://justaddstory.wordpress.com/ |
|
|
There was actually 7 CVE announced today for OpenSSL
The MITM one... being the highest problem, the other 6 were all DoS attack vectors, causing the machine to run out of resources. This one appears it was traced back to the same guy that did the Heartbleed... also, this isn't *REALLY* that big of a threat. Considering BOTH the Server *AND* the Client have to have matching versions and essentially same comile time options for it to function properly for the MITM to work. But considering RHEL v5 and v6 are mostly used without recompiling the binary releases... you get this. The other thing is that OpenSSL is used in Android, they used the default compile options for Android's processors which closely matches that for 32-bit and 64-bit runtimes. It isn't just RHEL/CentOS, it is Ubuntu, Debian, SuSE... etc. All having this issue. But again, the MITM attack has to have both the Server *AND* the Client running same versions. So it is *NO WHERE* close to Heartbleed in scope and range. -- greg@gregfolkert.net "No snowflake in an avalanche ever feels responsible." --Stanislaw Jerzy Lec |
new ssl breach
- (boxley)
- (7)
- June 5, 2014, 03:07:54 PM EDT
Only if running 6.X
- (folkert)
- (2)
- June 5, 2014, 03:14:38 PM EDT
a lot of the nix are affected
-NT
- (boxley)
- (1)
- June 5, 2014, 04:09:13 PM EDT
I don;t doubt that. But you've only...
- (folkert)
- June 5, 2014, 04:18:13 PM EDT
A more general story about it.
- (Another Scott)
- (3)
- June 5, 2014, 07:08:41 PM EDT
It is finally a great thing...
- (folkert)
- (2)
- June 5, 2014, 07:14:18 PM EDT
I heard...
- (static)
- (1)
- June 5, 2014, 10:46:59 PM EDT
There was actually 7 CVE announced today for OpenSSL
- (folkert)
- June 5, 2014, 10:57:33 PM EDT
