FreeBSD Security Advisory FreeBSD-SA-14:06.openssl
Karl Denninger
karl at denninger.net
Wed Apr 9 14:50:32 UTC 2014
On 4/9/2014 9:47 AM, Steven Hartland wrote:
> ----- Original Message ----- From: "Karl Denninger" <karl at denninger.net>
>
>
>
> On 4/9/2014 9:21 AM, Zoran Kolic wrote:
>>> Advisory claims 10.0 only to be affected. Patches to
>>> branch 9 are not of importance on the same level?
>>>
>>>
>> 9 (and before) were only impacted if you loaded the newer OpenSSL
>> from ports. A fair number of people did, however, as a means of
>> preventing BEAST attack vectors.
>>
>> If you did, then you need to update that and have all your private
>> keys re-issued. If you did not then you never had the buggy code in
>> the first place.
>
> Actually they are vulnerable without any ports install just not to
> CVE-2014-0160 only CVE-2014-0076, both of which where fixed by
> SA-14:06.openssl
>
> Regards
> Steve
Good point -- there is that other advisory in there so "base" 8.x and
9.x users should update as well.
However, the other problem does not involve the same sort of
vulnerability to remote "grabs" of data, including authentication
credentials (and worse, private key data.)
--
-- Karl
karl at denninger.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2711 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20140409/71c79a00/attachment.bin>
More information about the freebsd-security
mailing list