On Fri, Apr 11, 2014 at 12:47 PM, Rainer Jung <rainer.j...@kippdata.de>wrote:
> On 11.04.2014 18:05, Jeff Trawick wrote: > > On Fri, Apr 11, 2014 at 10:18 AM, Jeff Trawick <traw...@gmail.com > > <mailto:traw...@gmail.com>> wrote: > > > > On Fri, Apr 11, 2014 at 8:56 AM, Rainer M. Canavan > > <rainer.cana...@sevenval.com <mailto:rainer.cana...@sevenval.com>> > > wrote: > > > > > > On Apr 11, 2014, at 14:38 , Jeff Trawick <traw...@gmail.com > > <mailto:traw...@gmail.com>> wrote: > > > > > SSL/TLS-enabled configurations of Apache HTTP Server with > > OpenSSL 1.0.1a-f are vulnerable to CVE-2014-0160, the so called > > "Heartbleed Bug." > > Before 1.0.1a there was 1.0.1 (without a letter) and I expect that > version was already vulnerable. So maybe "OpenSSL 1.0.1 up to 1.0.1f" or > similar. > > One might also want to explicitely state that "Any OpenSSL version > smaller than 1.0.1 is not vulnerable.". That takes away the uncertainty, > whether the advisory only cares about the recent version or left out the > older ones deliberately. The term "earlier" instead of "smaller" would > be again misleading, because version number counts, not release date. Oh > my. > > Regards, > > Rainer > > Fixed on blog (thanks!) -- Born in Roswell... married an alien... http://emptyhammock.com/ http://edjective.org/