I heard...
that the OpenSSL codebase is a real dog's breakfast. Fixing it up is a mammoth task. I also heard that the latest problem was traced back to the same programmer who did the Heartbleed one. Oops. Wade. Just Add Story http://justaddstory.wordpress.com/ |
|
|
There was actually 7 CVE announced today for OpenSSL
The MITM one... being the highest problem, the other 6 were all DoS attack vectors, causing the machine to run out of resources. This one appears it was traced back to the same guy that did the Heartbleed... also, this isn't *REALLY* that big of a threat. Considering BOTH the Server *AND* the Client have to have matching versions and essentially same comile time options for it to function properly for the MITM to work. But considering RHEL v5 and v6 are mostly used without recompiling the binary releases... you get this. The other thing is that OpenSSL is used in Android, they used the default compile options for Android's processors which closely matches that for 32-bit and 64-bit runtimes. It isn't just RHEL/CentOS, it is Ubuntu, Debian, SuSE... etc. All having this issue. But again, the MITM attack has to have both the Server *AND* the Client running same versions. So it is *NO WHERE* close to Heartbleed in scope and range. -- greg@gregfolkert.net "No snowflake in an avalanche ever feels responsible." --Stanislaw Jerzy Lec |
new ssl breach
- (boxley)
- (7)
- June 5, 2014, 03:07:54 PM EDT
Only if running 6.X
- (folkert)
- (2)
- June 5, 2014, 03:14:38 PM EDT
a lot of the nix are affected
-NT
- (boxley)
- (1)
- June 5, 2014, 04:09:13 PM EDT
I don;t doubt that. But you've only...
- (folkert)
- June 5, 2014, 04:18:13 PM EDT
A more general story about it.
- (Another Scott)
- (3)
- June 5, 2014, 07:08:41 PM EDT
It is finally a great thing...
- (folkert)
- (2)
- June 5, 2014, 07:14:18 PM EDT
I heard...
- (static)
- (1)
- June 5, 2014, 10:46:59 PM EDT
There was actually 7 CVE announced today for OpenSSL
- (folkert)
- June 5, 2014, 10:57:33 PM EDT
