On 11.04.2014 18:05, Jeff Trawick wrote: > On Fri, Apr 11, 2014 at 10:18 AM, Jeff Trawick <[email protected] > <mailto:[email protected]>> wrote: > > On Fri, Apr 11, 2014 at 8:56 AM, Rainer M. Canavan > <[email protected] <mailto:[email protected]>> > wrote: > > > On Apr 11, 2014, at 14:38 , Jeff Trawick <[email protected] > <mailto:[email protected]>> wrote: > > > SSL/TLS-enabled configurations of Apache HTTP Server with > OpenSSL 1.0.1a-f are vulnerable to CVE-2014-0160, the so called > "Heartbleed Bug."
Before 1.0.1a there was 1.0.1 (without a letter) and I expect that version was already vulnerable. So maybe "OpenSSL 1.0.1 up to 1.0.1f" or similar. One might also want to explicitely state that "Any OpenSSL version smaller than 1.0.1 is not vulnerable.". That takes away the uncertainty, whether the advisory only cares about the recent version or left out the older ones deliberately. The term "earlier" instead of "smaller" would be again misleading, because version number counts, not release date. Oh my. Regards, Rainer
