Subject: | |
From: | |
Reply To: | |
Date: | Thu, 10 Apr 2014 11:10:12 -0500 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
On Thu, 10 Apr 2014, William Lutter wrote:
> I see this link relative to openssl and heartbleed exploit...
>
> https://www.openssl.org/news/secadv_20140407.txt
>
> A missing bounds check in the handling of the TLS heartbeat extension can be
> used to reveal up to 64k of memory to a connected client or server. Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
> 1.0.1f and 1.0.2-beta1.
>
> Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
> upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS. 1.0.2 will be fixed in 1.0.2-beta2.
>
> My SL 6.5 lists
> openssl-1.0.1e-16.el6_5.7.x86_64
> openssl098e-0.9.8e-17.el6_2.2.x86_64
> openssl-devel-1.0.1e-16.el6_5.7.x86_64
>
> so, it is a vulnerable version of openssl.
No, that is the updated version. TUV backports security errata. They
key is the .7 in el6_5.7 .
>
> Question 1 I enabled fastbugs in sl-other.repo and well as usual enables
> in sl.repo, however, do not see an update for openssl.
>
> Will there be one forthcoming from SL or have I missed the proper
> repository to get it? I have no server on this PC, so I am not worried
> yet.
It was released on Tuesday morning.
>
> Question 2
> I surmise that older versions of openssl on older SLs are not impacted
> such as
> openssl-0.9.8e-26.el5_9.1.i686
Not impacted.
>
> Bill Lutter
>
-Connie Sieh
|
|
|