| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 16 Apr 2014 18:10:15 +0800 From: Shawn <citypw@...il.com> To: fulldisclosure@...lists.org Subject: [FD] Audit: don't only focus on heartbleed issue After an exciting and crazy week. People are getting calm and plan or already start to doing audit on their system. But there are something you might miss. The older version of OpenSSL( like 0.9.8) might not affected by heartbleed issue but it doesn't mean you are secure. Don't forget the old OpenSSL are still vulnerable to BEAST( 2011), CRIME( 2012), Lucky-thirteen( 2013)[1]. I do believe Lucky-thirteen is far more dangerous than heartbleed, we just don't know. Once you start the audit, plz upgrade the OpenSSL to the latest version. If you are using 0.9.8, plz upgrade to 0.9.8y, which is not vulnerable to Lucky-13 issue. Fix heartbleed issue for website is much easier than the networking devices( Firewall, UTM, SSL/IPSEC VPN, etc) and the 3rd-party software. This definitely gonna impacting for long term. [1] http://www.isg.rhul.ac.uk/tls/ -- GNU powered it... GPL protect it... God blessing it... regards Shawn _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists