https://www.openssl.org/news/changelog.html
1.0.1 introduced the heartbeat support.
1.0.0 and earlier are fortunate in that they didnt have it.but then they
didnt have things to stop you from being BEASTed so some you win, some you
lose. ;)
alan
Hi,
Is OpenSSL 0.9.7d vulnerable? Can seem to confirm based on the list of
affected services from this site http://heartbleed.com/.
Regards,
Mon
On Tuesday, April 8, 2014 3:01 AM, OpenSSL wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [07 Apr 2014]
==
There exists engine_pkcs11, but I'm seeing caveats that it can only
work if OpenSSL is statically linked. This may have changed. (It
also apparently only does RSA.)
-Kyle H
On Tue, Apr 8, 2014 at 10:31 AM, whitehat wrote:
> Hi
> I am using OpenSSL 1.0.2 on Windows 7 (Visual Studio) and I am tr
On 8 Apr 2014, at 7:14 PM, Chris Hill wrote:
> Team, I am having a discussions with a few friends about why this OpenSSL
> vuln (CVE 2014-0160) does not affect SSH. This may be TOO basic for many of
> you (apologize in advance), but can't think of any other way to prove my
> point other than sp
Team, I am having a discussions with a few friends about why this OpenSSL
vuln (CVE 2014-0160) does not affect SSH. This may be TOO basic for many of
you (apologize in advance), but can't think of any other way to prove my
point other than speaking to the folks who really know (that's u). Or maybe
Thank you. In the meantime, I found RFC 6520 which explains it.
Most appreciated.
+-+-+-+-+-+-+-+-+-
Dave McLellan, VMAX Software Engineering, EMC Corporation, 176 South St.
Mail Stop 176-V1 1/P-36, Hopkinton, MA 01749
Office: 508-249-1257, Mobile: 978-500-2546, dave.mclel...@emc.com
+-
But its the apps that need these features. The app should either have the
option to disable features of not needed. .. or be coded to not accept such
extensions if it doesn't utilise them (which I believe is the correct way)
alan
Would it be a good idea to allow disabling these extensions at
runtime (via some option)? That would minimize the impact of security
holes like this, right? Instead of having to recompile "everything"
you would "just" have to set an option (yes, I know, not every
application might have support for
On 08 Apr 2014, at 19:19, mclellan, dave wrote:
> Hi all. There are two mitigations possible for the recently discovered
> Heartbleed attack.
>
> Ø Upgrade to 1.0.1g, released yesterday with a fix
> Ø Recompile a vulnerable release with –DOPENSSL_NO_HEARTBEATS
>
> Suppose we choose the
...or take the upstream fix...apply to your older version and keep the
heartbeat functionality. Which is what I believe the very latest redhat/centos
patches do
Alan
True that’s possible, except that it only applies if customers actually install
a corrected older version that we make available. We can pour the clean water
but can’t make the customer drink it; he might still be drinking the dirty
water.
Thanks for that suggestion.
Dave
+-+-+-+-+-+-+-+-+-
Hi all. There are two mitigations possible for the recently discovered
Heartbleed attack.
Ø Upgrade to 1.0.1g, released yesterday with a fix
Ø Recompile a vulnerable release with -DOPENSSL_NO_HEARTBEATS
Suppose we choose the latter. We might be installed into a server host in a
shop wi
Hi
I am using OpenSSL 1.0.2 on Windows 7 (Visual Studio) and I am trying to use
a third part pkcs11 library to sign a certificate signing request (csr).
The private and public keys are generated and stored on a usb token, and
there is no way of accessing them as files or blobs, but only attribute
13 matches
Mail list logo
