> On 5 Mar 2015, at 12:23, Salz, Rich <rs...@akamai.com> wrote:
>> if (!openssl_is_patched("CVE-2014-0160”)) {
>> complain_vociferously();
>> }
>
> That's an interesting idea. Of course the CVE list would grow, so perhaps
> arrays of ints are better
> Int OPENSSL_cve_fixed(int year, int vuln);;
>
> ?
This feels onerous... I think this would only affect vendors who release their
own patched versions. OpenSSL team should probably not have to deal with their
problems; using latest version of upstream OpenSSL you'd be fine to verify the
version number.
Maybe it's just a case of the vendor (RedHat etc.) should come up with a
solution - a /usr/share/openssl/heartbleed_fixed file added to the package, or
a /usr/share/openssl/patchlist file containing list of patches applied.
Freeradius can then check this based on the distribution's way of dealing with
it.
Jason
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
