RE: Apple sent fixes out a month or so ago.. .Re: [Nolug] SSL bug

From: John Souvestre <>
Date: Tue, 8 Apr 2014 18:22:38 -0500
Message-ID: <001101cf5381$703a76c0$50af6440$>

If memory serves, the problem which Apple had was not with the crypto library
itself, but in how they handled (or didn't handle) an error return from one of
the calls to it.



    John Souvestre - New Orleans LA


From: []
On Behalf Of Me
Sent: Tue, April 08, 2014 6:17 pm
Subject: Apple sent fixes out a month or so ago.. .Re: [Nolug] SSL bug


Apple uses OpenSSL?

I believe this was a month ago, and was affecting a major portion of there


Did they inform the OpenSSL community, or did they keep it a secret.


Patrick M. BLA/LMT -- Rigger
Communications & Media Consult -- Massage Therapist 
PnM Resources -- Follow me #: 800-901-1089
From: Joey Kelly <>
Sent: Tuesday, April 8, 2014 11:42 AM
Subject: Re: [Nolug] SSL bug
On 04/08/2014 11:01 AM, John Souvestre wrote:
> Hi Joey.
> Right!
> Also ...
> Version check:
>      Shell:  openssl version -a
>            But:  Many distributions repackage it and use their own version
> number.
>      Test site:
> John
>    John Souvestre - New Orleans LA
Here, go laugh at this:
> -----Original Message-----
> From:
> On Behalf Of Joey Kelly
> Sent: Tue, April 08, 2014 10:53 am
> To: undisclosed-recipients:
> Subject: [Nolug] SSL bug
> <> 
> Guys,
> The guy that wrote the above needs to work on his english a little, but
> described is bad. Very bad. If either end of an ssh or SSL connection (this
> includes VPNs, IPsec, Puppet, secure websites, and other stuff) runs
> vulnerable code (the site lists the versions in question), your stuff can be
> owned. Log into your bank? An attacker can follow right after you and steal
> all your money --- that bad.
> If you run Debian 7 or CentOS 6, you are vulnerable. Versions prior are safe
> (I have no idea which versions of Ubuntu are based on which versions of
> Debian, so if you run that, find out ASAP).
> Change all your SSL certs. Regenerate your ssh keys. Once that's done,
> any password (ssh, web login, you name it) that was used on a vulnerable
> server. There is no telling if the bad guys knew about this before the bugs
> were found, and no way of knowing if your stuff was accessed or not.
> This is a Big Deal.
> --
> Joey Kelly
> Minister of the Gospel and Linux Consultant
> 504-239-6550
> ___________________
> Nolug mailing list
Nolug mailing list

Nolug mailing list

Received on 04/08/14

This archive was generated by hypermail 2.2.0 : 04/09/14 EDT