Re: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed"

[Michael Thomas <mike () mtcc com>]

Just as a data point, I checked the servers I run and it's a good thing 
I didn't reflexively update them first.
On Centos 6.0, the default openssl is 1.0.0 which supposedly doesn't 
have the vulnerability, but the
ones queued up for update do. I assume that redhat will get the patched 
version soon but be careful!

Mike

On 04/07/2014 10:06 PM, Paul Ferguson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> I'm really surprised no one has mentioned this here yet...
>
> FYI,
>
> - - ferg
>
>
>
> Begin forwarded message:
>
> > From: Rich Kulawiec <rsk () gsp org> Subject: Serious bug in
> > ubiquitous OpenSSL library: "Heartbleed" Date: April 7, 2014 at
> > 9:27:40 PM EDT
> >
> > This reaches across many versions of Linux and BSD and, I'd
> > presume, into some versions of operating systems based on them.
> > OpenSSL is used in web servers, mail servers, VPNs, and many other
> > places.
> >
> > Writeup: Heartbleed: Serious OpenSSL zero day vulnerability
> > revealed
> > http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability-revealed-7000028166/
> >
> >   Technical details: Heartbleed Bug http://heartbleed.com/
> >
> > OpenSSL versions affected (from link just above):  OpenSSL 1.0.1
> > through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT
> > vulnerable (released today, April 7, 2014) OpenSSL 1.0.0 branch is
> > NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable
>
> - -- 
> Paul Ferguson
> VP Threat Intelligence, IID
> PGP Public Key ID: 0x54DC85B2
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iF4EAREIAAYFAlNDg9gACgkQKJasdVTchbIrAAD9HzKaElH1Tk0oIomAOoSOvfJf
> 3Dvt4QB54os4/yewQQ8A/0dhFZ/YuEdA81dkNfR9KIf1ZF72CyslSPxPvkDcTz5e
> =aAzE
> -----END PGP SIGNATURE-----