lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CABniQZNLSktYNKX5P6Ftdnre4Tyftxk648srWLj7+8ZVM898OQ@mail.gmail.com>
Date: Wed, 16 Apr 2014 18:10:15 +0800
From: Shawn <citypw@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Audit: don't only focus on heartbleed issue

After an exciting and crazy week. People are getting calm and plan or
already start to doing audit on their system. But there are something
you might miss. The older version of OpenSSL( like 0.9.8) might not
affected by heartbleed issue but it doesn't mean you are secure. Don't
forget the old OpenSSL are still vulnerable to BEAST( 2011), CRIME(
2012), Lucky-thirteen( 2013)[1]. I do believe Lucky-thirteen is far
more dangerous than heartbleed, we just don't know. Once you start the
audit, plz upgrade the OpenSSL to the latest version. If you are using
0.9.8, plz upgrade to 0.9.8y, which is not vulnerable to Lucky-13
issue.

Fix heartbleed issue for website is much easier than the networking
devices( Firewall, UTM, SSL/IPSEC VPN, etc) and the 3rd-party
software. This definitely gonna impacting for long term.


[1] http://www.isg.rhul.ac.uk/tls/

-- 
GNU powered it...
GPL protect it...
God blessing it...

regards
Shawn

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ