Yeah, you’re right; e.g. my own tbray.org server is fine because it’s been up for 1080 days and has openssl 0.9.8. My estimation of NSA’s cleverness is a little lower than yours, I bet it was a surprise to them too. Someone should ask Snowden ;)
On Tue, Apr 8, 2014 at 7:51 AM, Igor Roshchin <[email protected]> wrote: > > Tim, > > Thanks a lot for the heads-up. > Apparently, I saw it here before I saw it through the "proper" channels. > > Strictly speaking it is not a "zero-day", as it was introduced in the > version 1.0.1, and the earlier versions are not vulnerable. > (I haven't seen any discussion of this yet, but I wouldn't be too > surprised if the NSA had known about this bug way before the disclosure.) > > Cheers, > > Igor > > > On 4/7/2014 8:13 PM, Tim Bray wrote: >> In the unlikely event that any of you run https-enabled web sites and >> haven't visited heartbleed.com today, get thee over there post-haste >> and find out what version of OpenSSL you're running and consider >> replacing your certs, stat. >> >> I'm not sure I've ever seen a more damaging zero-day. >> > > -- > PDML Pentax-Discuss Mail List > [email protected] > http://pdml.net/mailman/listinfo/pdml_pdml.net > to UNSUBSCRIBE from the PDML, please visit the link directly above and follow > the directions. -- PDML Pentax-Discuss Mail List [email protected] http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions.
