[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fwd: Re: [FD] More OpenSSL issues



Hello,

I'm inviting whoever wants to, and is interested in doing so, to add to
this guide on openssl issues (which probably given the pace of openssl
developments, is very likely not up to par with where it should be for
humans to read and benefit meaningfully from it).  It's focused on
benefiting open source operating system users and throws some tidbits in
for Mac/OSX folks as well.

Please feel free to make pull request to change it if it needs change,
addition, whatever, at:

https://github.com/btcfoundationedcom/btcfoundationedcom.github.io/blob/master/proposals/heartbleedmitigation.md

If interested in other sorts of participation (including if you want to
join the repo as collaborator), please see the blog at:
https://github.com/btcfoundationedcom/btcfoundationedcom.github.io/blob/master/blog/01-decentralization.md

and the readme at:
https://github.com/btcfoundationedcom/btcfoundationedcom.github.io

Cheers!



> re: Jim's post from yesterday.  From the Full Disclosure list:
>
> On Sat, Jun 7, 2014, at 02:04 PM, Craig Young wrote:
> Yeah, definitely not in the same ballpark as heartbleed fortunately.
>
> I have posted a detection script on the Tripwire blog to identify
> servers
> permitting the early CCS:
> http://www.tripwire.com/state-of-security/incident-detection/detection-script-for-cve-2014-0224-openssl-cipher-change-spec-injection/
>
> It should detect potentially vulnerable hosts with a variety of
> configurations.
>
> Thanks,
> Craig
>
>
>> On Jun 6, 2014 3:36 AM, "P Vixie" <> wrote:
>>
>> > This does not appear to be the same panic level as the previous patch.
>> In
>> > other words the previous openssl vuln was worse than the instability
>> of
>> > all-night patching. This one is not. Take time to roll out right.
>> >
>> > On June 5, 2014 7:51:50 AM PDT, Jordan Urie <> wrote:
>> > >Ladies and Gentlemen,
>> > >
>> > >
>> > >
>> > >There's an MITM in there, and a potential for buffer over-runs.
>> > >
>> > >Patch up :-)
>> > >
>> > >
>> > >Jordan
>> > >
>> > >--
>> > >
>> > >Jordan R. Urie
>> > >
>> > >UP Technology Consulting, Inc.
>> > >1129 - 177A St. SW
>> > >Edmonton, AB  T6W 2A1
>> > >Phone:
>> > >
>> > >www.uptech.ca
>> > >
>> > >_______________________________________________
>> > >Sent through the Full Disclosure mailing list
>> > >
>> > >Web Archives & RSS:
>> >
>> > --
>> > Sent from my Android phone with K-9 Mail. Please excuse my brevity.
>> >
>> > _______________________________________________
>> > Sent through the Full Disclosure mailing list
>> >
>> > Web Archives & RSS:
>> >
>>
>> _______________________________________________
>> Sent through the Full Disclosure mailing list
>>
>> Web Archives & RSS:
>