Yeah, definitely not in the same ballpark as heartbleed fortunately.
I have posted a detection script on the Tripwire blog to identify servers
permitting the early CCS:
http://www.tripwire.com/state-of-security/incident-detection/detection-script-for-cve-2014-0224-openssl-cipher-change-spec-inject
This does not appear to be the same panic level as the previous patch. In other
words the previous openssl vuln was worse than the instability of all-night
patching. This one is not. Take time to roll out right.
On June 5, 2014 7:51:50 AM PDT, Jordan Urie wrote:
>Ladies and Gentlemen,
>
>https:
Per the security advisory:
"The attack can only be performed between a vulnerable client *and* server."
This would have produced quite a media nightmare if most browsers used
OpenSSL instead of NSS, etc.
Chrome for Android was affected and is patched in 35.0.1916.141.
Brandon Vincent
_
Ladies and Gentlemen,
https://www.openssl.org/news/secadv_20140605.txt
There's an MITM in there, and a potential for buffer over-runs.
Patch up :-)
Jordan
--
Jordan R. Urie
UP Technology Consulting, Inc.
1129 - 177A St. SW
Edmonton, AB T6W 2A1
Phone: (780) 809-0932
www.uptech.ca
