CVE-2014-0160?
sbremal at hotmail.com
sbremal at hotmail.com
Fri Apr 11 13:28:05 UTC 2014
I receive daily email from the host which normally shows port audits and vulnerabilities. However, I did not sport anything related to CVE-2014-0160 in this email. I expected the same info comes in this email about the base system as well.
How do you normally inform about recent vulnerability in the base system? (I believe newspaper and TV is not the best way...)
Cheers
B.
----------------------------------------
> Subject: Re: CVE-2014-0160?
> From: kpaasial at icloud.com
> Date: Fri, 11 Apr 2014 16:12:36 +0300
> To: sbremal at hotmail.com
> CC: freebsd-security at freebsd.org
>
>
> On 11.4.2014, at 15.53, sbremal at hotmail.com wrote:
>
>> ext 65281 (renegotiation info, length=1)
>> ext 00011 (EC point formats, length=4)
>> ext 00035 (session ticket, length=0)
>> ext 00015 (heartbeat, length=1) <-- Your server supports heartbeat. Bug is possible when linking against OpenSSL 1.0.1f or older. Let me check.
>> Actively checking if CVE-2014-0160 works: Your server appears to be patched against this bug.
>>
>> Kösz! ;-)
>>
>> Is there any reason why nightly security patches are not enabled by default in FreeBSD?
>>
>>
>> Cheers
>> B.
>>
>
> Why do you make such claim? The security patches are very much “enabled” (by using your words) in FreeBSD by default. This assuming that you are in fact aware of the update methods that are available and how they work. And for the update methods and how they work there’s a tremendous amount of information out there, even translated to your native language in some cases if the language barrier is a problem for you.
>
> -Kimmo
More information about the freebsd-security
mailing list