On 4/9/2014 9:47 AM, Steven Hartland wrote:
Good point -- there is that other advisory in there so "base" 8.x and 9.x users should update as well.----- Original Message ----- From: "Karl Denninger" <k...@denninger.net>On 4/9/2014 9:21 AM, Zoran Kolic wrote:9 (and before) were only impacted if you loaded the newer OpenSSL from ports. A fair number of people did, however, as a means of preventing BEAST attack vectors.Advisory claims 10.0 only to be affected. Patches to branch 9 are not of importance on the same level?If you did, then you need to update that and have all your private keys re-issued. If you did not then you never had the buggy code in the first place.Actually they are vulnerable without any ports install just not to CVE-2014-0160 only CVE-2014-0076, both of which where fixed by SA-14:06.openssl Regards Steve
However, the other problem does not involve the same sort of vulnerability to remote "grabs" of data, including authentication credentials (and worse, private key data.)
-- -- Karl k...@denninger.net
smime.p7s
Description: S/MIME Cryptographic Signature
