RE: Apple sent fixes out a month or so ago.. .Re: [Nolug] SSL bug from John Souvestre on 2014-04-08 (nolugarchives)

From: John Souvestre <johns_at_sstar.com>
Date: Tue, 8 Apr 2014 18:22:38 -0500
Message-ID: <001101cf5381$703a76c0$50af6440$@sstar.com>

If memory serves, the problem which Apple had was not with the crypto library
itself, but in how they handled (or didn't handle) an error return from one of
the calls to it.

John

John Souvestre - New Orleans LA

From: owner-nolug@stoney.kellynet.org [mailto:owner-nolug@stoney.kellynet.org]
On Behalf Of Me
Sent: Tue, April 08, 2014 6:17 pm
To: nolug@nolug.org
Subject: Apple sent fixes out a month or so ago.. .Re: [Nolug] SSL bug

Apple uses OpenSSL?

I believe this was a month ago, and was affecting a major portion of there
devices.
https://www.youtube.com/watch?v=WYDwPw-S9m8

Did they inform the OpenSSL community, or did they keep it a secret.

--
Patrick M. BLA/LMT -- Rigger
Communications & Media Consult -- Massage Therapist 
PnM Resources -- Follow me #: 800-901-1089
 
  _____  
From: Joey Kelly <joey@joeykelly.net>
To: nolug@nolug.org 
Sent: Tuesday, April 8, 2014 11:42 AM
Subject: Re: [Nolug] SSL bug
On 04/08/2014 11:01 AM, John Souvestre wrote:
> Hi Joey.
> 
> Right!
> 
> Also ...
> 
> Version check:
>      Shell:  openssl version -a
>            But:  Many distributions repackage it and use their own version
> number.
>      Test site:  http://filippo.io/Heartbleed/
> 
> John
> 
>    John Souvestre - New Orleans LA
Here, go laugh at this: http://filippo.io/Heartbleed/#openssl.org:443
--Joey
> 
> 
> -----Original Message-----
> From: owner-nolug@stoney.kellynet.org
[mailto:owner-nolug@stoney.kellynet.org]
> On Behalf Of Joey Kelly
> Sent: Tue, April 08, 2014 10:53 am
> To: undisclosed-recipients:
> Subject: [Nolug] SSL bug
> 
> http://heartbleed.com <http://heartbleed.com/> 
> 
> Guys,
> 
> The guy that wrote the above needs to work on his english a little, but
what's
> described is bad. Very bad. If either end of an ssh or SSL connection (this
> includes VPNs, IPsec, Puppet, secure websites, and other stuff) runs
> vulnerable code (the site lists the versions in question), your stuff can be
> owned. Log into your bank? An attacker can follow right after you and steal
> all your money --- that bad.
> 
> If you run Debian 7 or CentOS 6, you are vulnerable. Versions prior are safe
> (I have no idea which versions of Ubuntu are based on which versions of
> Debian, so if you run that, find out ASAP).
> 
> Change all your SSL certs. Regenerate your ssh keys. Once that's done,
change
> any password (ssh, web login, you name it) that was used on a vulnerable
> server. There is no telling if the bad guys knew about this before the bugs
> were found, and no way of knowing if your stuff was accessed or not.
> 
> This is a Big Deal.
> 
> --
> Joey Kelly
> Minister of the Gospel and Linux Consultant http://joeykelly.net
<http://joeykelly.net/> 
> 504-239-6550
> ___________________
> Nolug mailing list
> nolug@nolug.org
> 
___________________
Nolug mailing list
nolug@nolug.org

___________________
Nolug mailing list
nolug@nolug.org

application/pkcs7-signature attachment: smime.p7s

Received on 04/08/14