kcrisman wrote:
http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability-revealed-7000028166/
Apparently this is a real vulnerability in OpenSSL.
We should certainly update the optional OpenSSL spkg (last updated on
trac to 1.0.1c, Volker upgraded it to 1.0.1e upon the switch to git).
OpenSSL Security Advisory [07 Apr 2014]
========================================
TLS heartbeat read overrun (CVE-2014-0160)
==========================================
A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.
Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.
Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <a...@chromium.org> and Bodo Moeller <bmoel...@acm.org> for
preparing the fix.
Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
1.0.2 will be fixed in 1.0.2-beta2.
[https://www.openssl.org/news/secadv_20140407.txt] See also [1].
Others will hopefully install security updates from their distros; note
that especially older releases which still use 0.9.x versions aren't
affected.
-leif
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
--
() The ASCII Ribbon Campaign
/\ Help Cure HTML E-Mail
--
You received this message because you are subscribed to the Google Groups
"sage-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to sage-devel+unsubscr...@googlegroups.com.
To post to this group, send email to sage-devel@googlegroups.com.
Visit this group at http://groups.google.com/group/sage-devel.
For more options, visit https://groups.google.com/d/optout.
