lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 16 Apr 2014 18:38:48 +0000
From: Paul McMillan <>
Subject: Re: [FD] Audit: don't only focus on heartbleed issue

Also remember to actually try the exploit, even if you think your
0.9.8 installation isn't vulnerable. We found several devices which
were running a safe version in the audit paperwork, but actually
running a vulnerable version in practice.


On Wed, Apr 16, 2014 at 6:03 PM, Ron Bowes <> wrote:
> Are there actually any real-world attack scenarios for BEAST, CRIME, or
> Lucky-thirteen?
> Heartbleed has been used in actual legitimate attacks, but those earlier
> attacks all seem pretty tame in comparison. Worth fixing, of course, but
> they don't seem *as* critical to me.
> Ron
> On Wed, Apr 16, 2014 at 3:10 AM, Shawn <> wrote:
>> After an exciting and crazy week. People are getting calm and plan or
>> already start to doing audit on their system. But there are something
>> you might miss. The older version of OpenSSL( like 0.9.8) might not
>> affected by heartbleed issue but it doesn't mean you are secure. Don't
>> forget the old OpenSSL are still vulnerable to BEAST( 2011), CRIME(
>> 2012), Lucky-thirteen( 2013)[1]. I do believe Lucky-thirteen is far
>> more dangerous than heartbleed, we just don't know. Once you start the
>> audit, plz upgrade the OpenSSL to the latest version. If you are using
>> 0.9.8, plz upgrade to 0.9.8y, which is not vulnerable to Lucky-13
>> issue.
>> Fix heartbleed issue for website is much easier than the networking
>> devices( Firewall, UTM, SSL/IPSEC VPN, etc) and the 3rd-party
>> software. This definitely gonna impacting for long term.
>> [1]
>> --
>> GNU powered it...
>> GPL protect it...
>> God blessing it...
>> regards
>> Shawn
>> _______________________________________________
>> Sent through the Full Disclosure mailing list
>> Web Archives & RSS:
> _______________________________________________
> Sent through the Full Disclosure mailing list
> Web Archives & RSS:

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists