| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CF69A5A2.3DB3C%chris.schmidt@contrastsecurity.com> Date: Tue, 8 Apr 2014 19:12:03 +0000 From: Chris Schmidt <chris.schmidt@...trastsecurity.com> To: "noloader@...il.com" <noloader@...il.com> Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: Re: [FD] heartbleed OpenSSL bug CVE-2014-0160 Sorry - my answer was unclear - you will see the bug in anything that uses the TLS implementation in OpenSSL. I said https because it seemed like (maybe I misunderstood) Nik was asking about http. Admittedly I was tired when I replied; in retrospect I should have waited :) So if SPDY uses TLS with a vuln version of OpenSSL, yes the problem exists. On 4/8/14, 1:08 PM, "Jeffrey Walton" <noloader@...il.com> wrote: >On Tue, Apr 8, 2014 at 9:30 AM, Chris Schmidt ><chris.schmidt@...trastsecurity.com> wrote: >> The bug is in the TLS implementation in OpenSSL, you will only see it >>on https >SPDY? > >>> On Apr 8, 2014, at 4:43 AM, "Nik Mitev" <nik@...ev.net> wrote: >>> >>> I used the tool Kirils linked (http://possible.lv/tools/hb/) and my >>> unpatched servers running a Tor node or an Openvpn server returned >>> correct (old) version of openssl but not vulnerable. >>> Is it the bug or the tool that seems to be limited to https I wonder? >>> >>> Patched now so can't test with this tool... >>> >>> -----Original Message----- >>> From: Fraser Scott <fraser.scott@...il.com> >>> To: fulldisclosure@...lists.org >>> Subject: Re: [FD] heartbleed OpenSSL bug CVE-2014-0160 >>> Date: Tue, 8 Apr 2014 10:24:02 +0100 >>> >>> This seems to be the best test so far: >>> >>> http://s3.jspenguin.org/ssltest.py >>> >>> Other tests false-positive on patched versions from what I can see. >>> >>> >>>> On 8 April 2014 01:10, Kirils Solovjovs <kirils.solovjovs@...ils.com> >>>>wrote: >>>> >>>> We are doomed. >>>> >>>> Description: http://www.openssl.org/news/vulnerabilities.html >>>> Article dedicated to the bug: http://heartbleed.com/ >>>> Tool to check if TLS heartbeat extension is supported: >>>> http://possible.lv/tools/hb/ >>>> >>>> A missing bounds check in the handling of the TLS heartbeat extension >>>> can be used to reveal up to 64kB of memory to a connected client or >>>>server. >>>> >>>> 1.0.1[ abcdef] affected. >>>> >>>> >>>> P.S. Happy Monday! _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists