According to the changelog it cvs is fixed now.
$ rpm -qa|grep openssl
openssl-1.0.1e-16.el6_5.7.x86_64
openssl-devel-1.0.1e-16.el6_5.7.x86_64
Tue Apr 8 12:17:25 EDT 2014
Z643357:~
$ rpm -q --changelog openssl | less
* Mon Apr 07 2014 Tomás( Mráz 1.0.1e-16.7
- fix CVE-2014-0160 - information di
1.0.1 was not deployed until RHEL 6.5. RedHat released patches
for RHEL last night, and CentOS followed suit a few minutes
later.
-Original Message-
From: Michael Thomas [mailto:m...@mtcc.com]
Sent: Tuesday, April 08, 2014 12:03 PM
To: nanog@nanog.org
Subject: Re: Fwd: Serious bug in
For testing, I've had good luck with
https://github.com/titanous/heartbleeder and
https://gist.github.com/takeshixx/10107280
Both are mostly platform-independent, so they should be able to work even
if you don't have a modern OpenSSL to test with.
Cheers and good luck (you're going to need it),
j
The updated CentOS openssl binaries haven't patched the underlying bug, but
they have disabled the heartbeat functionality. By doing so, they've
disabled the attack vector. Once upstream releases a fix, they will
re-enable the heartbeat function with the working patch.
And yes, don't forget to res
Just as a data point, I checked the servers I run and it's a good thing
I didn't reflexively update them first.
On Centos 6.0, the default openssl is 1.0.0 which supposedly doesn't
have the vulnerability, but the
ones queued up for update do. I assume that redhat will get the patched
version soo
Randy Bush writes:
> you might like (thanks smb, or was it sra)
>
> openssl s_client -connect google\.com:443 -tlsextdebug 2>&1| grep 'server
> extension "heartbeat" (id=15)' || echo safe
protip: you have to run this from a device that actually is running
1.0.x, i.e. supports the heartbeat ex
On Tue, Apr 8, 2014 at 4:35 AM, Randy Bush wrote:
>> I'm really surprised no one has mentioned this here yet...
>
> we're all to damned busy updating and generating keys
>
> you might like (thanks smb, or was it sra)
>
> openssl s_client -connect google\.com:443 -tlsextdebug 2>&1| grep 'server
>
> I'm really surprised no one has mentioned this here yet...
we're all to damned busy updating and generating keys
you might like (thanks smb, or was it sra)
openssl s_client -connect google\.com:443 -tlsextdebug 2>&1| grep 'server
extension "heartbeat" (id=15)' || echo safe
randy, who is alm
OK, now... it's far too late for April Fool's. :(
That's scary as heck. :(Guess I know what the first order of
business will be tomorrow...
- Pete
On 4/8/2014 1:06 AM, Paul Ferguson wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
I'm really surprised no one has mentioned this
9 matches
Mail list logo
