[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fwd: Re: [FD] More OpenSSL issues



re: Jim's post from yesterday.  From the Full Disclosure list:

On Sat, Jun 7, 2014, at 02:04 PM, Craig Young wrote:
Yeah, definitely not in the same ballpark as heartbleed fortunately.

I have posted a detection script on the Tripwire blog to identify
servers
permitting the early CCS:
http://www.tripwire.com/state-of-security/incident-detection/detection-script-for-cve-2014-0224-openssl-cipher-change-spec-injection/

It should detect potentially vulnerable hosts with a variety of
configurations.

Thanks,
Craig


> On Jun 6, 2014 3:36 AM, "P Vixie" <> wrote:
> 
> > This does not appear to be the same panic level as the previous patch. In
> > other words the previous openssl vuln was worse than the instability of
> > all-night patching. This one is not. Take time to roll out right.
> >
> > On June 5, 2014 7:51:50 AM PDT, Jordan Urie <> wrote:
> > >Ladies and Gentlemen,
> > >
> > >
> > >
> > >There's an MITM in there, and a potential for buffer over-runs.
> > >
> > >Patch up :-)
> > >
> > >
> > >Jordan
> > >
> > >--
> > >
> > >Jordan R. Urie
> > >
> > >UP Technology Consulting, Inc.
> > >1129 - 177A St. SW
> > >Edmonton, AB  T6W 2A1
> > >Phone: 
> > >
> > >www.uptech.ca
> > >
> > >_______________________________________________
> > >Sent through the Full Disclosure mailing list
> > >
> > >Web Archives & RSS: 
> >
> > --
> > Sent from my Android phone with K-9 Mail. Please excuse my brevity.
> >
> > _______________________________________________
> > Sent through the Full Disclosure mailing list
> > 
> > Web Archives & RSS: 
> >
> 
> _______________________________________________
> Sent through the Full Disclosure mailing list
> 
> Web Archives & RSS: