oss-sec mailing list archives
Re: Cauterizing OpenSSL's heartbleed (the aftermath)
From: Yves-Alexis Perez <corsac () debian org>
Date: Thu, 10 Apr 2014 07:50:45 +0200
On Wed, Apr 09, 2014 at 04:20:14PM -0700, Seth Arnold wrote:
On Wed, Apr 09, 2014 at 10:47:48PM +0000, mancha wrote:Mustafa Al-Bassam's work assists a great deal with this taxonomy. He ran PoC code against Alexa top 100, 1000, and 10000 sites beginning about 18 hours after OpenSSL's first public announcement [1]. Specifically, his scans began circa: 1396956600 (top 100); 1396958400 (top 1000); and 1396972800 (top 10000). Did any major vendors deploy upgrades prior to this?Ubuntu's updates were released around 1396907296 [2], roughly 13 hours before Mustafa's awesome scans.
For Debian Wheezy, the DSA was sent circa 1396906606 [1]. The package were already on the initial security.debian.org (and started propagating to the mirrors) since circa 1396899374 [1]: https://lists.debian.org/debian-security-announce/2014/msg00071.html [2]: http://snapshot.debian.org/package/openssl/1.0.1e-2%2Bdeb7u5/ Regards, -- Yves-Alexis Perez
Attachment:
signature.asc
Description: Digital signature
Current thread:
- Cauterizing OpenSSL's heartbleed (the aftermath) mancha (Apr 09)
- Re: Cauterizing OpenSSL's heartbleed (the aftermath) Seth Arnold (Apr 09)
- Re: Cauterizing OpenSSL's heartbleed (the aftermath) Yves-Alexis Perez (Apr 09)
- Re: Cauterizing OpenSSL's heartbleed (the aftermath) mancha (Apr 11)
- Re: Cauterizing OpenSSL's heartbleed (the aftermath) Seth Arnold (Apr 09)