| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 8 Apr 2014 13:30:11 +0000 From: Chris Schmidt <chris.schmidt@...trastsecurity.com> To: Nik Mitev <nik@...ev.net> Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: Re: [FD] heartbleed OpenSSL bug CVE-2014-0160 The bug is in the TLS implementation in OpenSSL, you will only see it on https Sent from my iPhone > On Apr 8, 2014, at 4:43 AM, "Nik Mitev" <nik@...ev.net> wrote: > > I used the tool Kirils linked (http://possible.lv/tools/hb/) and my > unpatched servers running a Tor node or an Openvpn server returned > correct (old) version of openssl but not vulnerable. > Is it the bug or the tool that seems to be limited to https I wonder? > > Patched now so can't test with this tool... > > -----Original Message----- > From: Fraser Scott <fraser.scott@...il.com> > To: fulldisclosure@...lists.org > Subject: Re: [FD] heartbleed OpenSSL bug CVE-2014-0160 > Date: Tue, 8 Apr 2014 10:24:02 +0100 > > This seems to be the best test so far: > > http://s3.jspenguin.org/ssltest.py > > Other tests false-positive on patched versions from what I can see. > > >> On 8 April 2014 01:10, Kirils Solovjovs <kirils.solovjovs@...ils.com> wrote: >> >> We are doomed. >> >> Description: http://www.openssl.org/news/vulnerabilities.html >> Article dedicated to the bug: http://heartbleed.com/ >> Tool to check if TLS heartbeat extension is supported: >> http://possible.lv/tools/hb/ >> >> A missing bounds check in the handling of the TLS heartbeat extension >> can be used to reveal up to 64kB of memory to a connected client or server. >> >> 1.0.1[ abcdef] affected. >> >> >> P.S. Happy Monday! >> >> _______________________________________________ >> Sent through the Full Disclosure mailing list >> http://nmap.org/mailman/listinfo/fulldisclosure >> Web Archives & RSS: http://seclists.org/fulldisclosure/ > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists