Full Disclosure mailing list archives
Re: More OpenSSL issues
From: Craig Young <vuln-report () secur3 us>
Date: Sat, 7 Jun 2014 17:04:17 -0400
Yeah, definitely not in the same ballpark as heartbleed fortunately. I have posted a detection script on the Tripwire blog to identify servers permitting the early CCS: http://www.tripwire.com/state-of-security/incident-detection/detection-script-for-cve-2014-0224-openssl-cipher-change-spec-injection/ It should detect potentially vulnerable hosts with a variety of configurations. Thanks, Craig On Jun 6, 2014 3:36 AM, "P Vixie" <paul () redbarn org> wrote:
This does not appear to be the same panic level as the previous patch. In other words the previous openssl vuln was worse than the instability of all-night patching. This one is not. Take time to roll out right. On June 5, 2014 7:51:50 AM PDT, Jordan Urie <jordan () uptech ca> wrote:Ladies and Gentlemen, https://www.openssl.org/news/secadv_20140605.txt There's an MITM in there, and a potential for buffer over-runs. Patch up :-) Jordan -- Jordan R. Urie UP Technology Consulting, Inc. 1129 - 177A St. SW Edmonton, AB T6W 2A1 Phone: (780) 809-0932 www.uptech.ca _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/-- Sent from my Android phone with K-9 Mail. Please excuse my brevity. _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- More OpenSSL issues Jordan Urie (Jun 05)
- Re: More OpenSSL issues Brandon Vincent (Jun 05)
- Re: More OpenSSL issues P Vixie (Jun 06)
- Re: More OpenSSL issues Craig Young (Jun 07)