-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [01 November 2022]
X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602)
==
Severity: High
A buffer overrun can
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [11 October 2022]
===
Using a Custom Cipher with NID_undef may lead to NULL encryption (CVE-2022-3358
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
OpenSSL Security Advisory [5 July 2022]
===
Heap memory corruption with RSA private key operation (CVE-2022-2274)
=
Severity: High
The OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [21 June 2022]
The c_rehash script allows command injection (CVE-2022-2068)
Severity: Moderate
In addition
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [03 May 2022]
===
The c_rehash script allows command injection (CVE-2022-1292)
Severity: Moderate
The c_rehash script
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [15 March 2022]
Infinite loop in BN_mod_sqrt() reachable when parsing certificates
(CVE-2022-0778
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [28 January 2022]
===
BN_mod_exp may produce incorrect results on MIPS (CVE-2021-4160)
Severity: Moderate
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [14 December 2021]
Invalid handling of X509_verify_cert() internal errors in libssl (CVE-2021-4044
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [24 August 2021]
==
SM2 Decryption Buffer Overflow (CVE-2021-3711)
==
Severity: High
In order to decrypt SM2 encrypted data
On Thursday, 25 March 2021 15:03:24 CET, OpenSSL wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [25 March 2021]
=
NULL pointer deref in signature_algorithms processing (CVE-2021-3449
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [25 March 2021]
=
CA certificate check bypass with X509_V_FLAG_X509_STRICT (CVE-2021-3450)
Severity: High
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [16 February 2021]
Null pointer deref in X509_issuer_and_serial_hash() (CVE-2021-23841)
Severity: Moderate
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [08 December 2020]
EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971)
==
Severity: High
The X.509 GeneralName type
On 10/09/2020 16:14, Jakob Bohm via openssl-users wrote:
> On 2020-09-10 09:03, Tomas Mraz wrote:
>> On Wed, 2020-09-09 at 22:26 +0200, Jakob Bohm via openssl-users wrote:
>>> Wouldn't a more reasonable response for 1.0.2 users have been to
>>> force on
>>> SSL_OP_SINGLE_DH_USE rather than
On 2020-09-10 09:03, Tomas Mraz wrote:
On Wed, 2020-09-09 at 22:26 +0200, Jakob Bohm via openssl-users wrote:
Wouldn't a more reasonable response for 1.0.2 users have been to
force on
SSL_OP_SINGLE_DH_USE rather than recklessly deprecating affected
cipher
suites
and telling affected people to
On Wed, 2020-09-09 at 22:26 +0200, Jakob Bohm via openssl-users wrote:
> Wouldn't a more reasonable response for 1.0.2 users have been to
> force on
> SSL_OP_SINGLE_DH_USE rather than recklessly deprecating affected
> cipher
> suites
> and telling affected people to recompile with the fix off?
On 2020-09-09 14:39, OpenSSL wrote:
OpenSSL Security Advisory [09 September 2020]
=
Raccoon Attack (CVE-2020-1968)
==
Severity: Low
The Raccoon attack exploits a flaw in the TLS specification which can lead to
an attacker
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
OpenSSL Security Advisory [09 September 2020]
=
Raccoon Attack (CVE-2020-1968)
==
Severity: Low
The Raccoon attack exploits a flaw in the TLS specification which can lead
That makes sense, thank you all.
machine, but with different parameters, so its a
> bit hard to see if it is affected or not.
>
> Thanks,
> Sam
>
> On Tue, Apr 21, 2020 at 6:26 AM OpenSSL wrote:
>>
> OpenSSL Security Advisory [21 April 2020]
> =
On Tue, Apr 21, 2020 at 12:46:43PM -0700, Sam Roberts wrote:
> The announcement claims that this affects SSL_check_chain().
>
> Is that an exhaustive list? If an application does NOT call that
> function, does this mean the vulnerability is not exploitable?
That is correct (speaking only in
SIGNED MESSAGE-
> Hash: SHA256
>
> OpenSSL Security Advisory [21 April 2020]
> =
>
> Segmentation fault in SSL_check_chain (CVE-2020-1967)
> =
>
> Severity: High
>
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [21 April 2020]
=
Segmentation fault in SSL_check_chain (CVE-2020-1967)
=
Severity: High
Server or client applications that call
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [6 December 2019]
===
rsaz_512_sqr overflow bug on x86_64 (CVE-2019-1551)
===
Severity: Low
There is an overflow bug in the x64_64
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
OpenSSL Security Advisory [10 September 2019]
=
ECDSA remote timing attack (CVE-2019-1547)
==
Severity: Low
Normally in OpenSSL EC groups always have a co-factor
bove APIs may require their return value to be canonicalized
via the GetFullPathNameW() API in corner cases, retaining the result in
a global variable is advisable.
On 30/07/2019 16:27, OpenSSL wrote:
OpenSSL Security Advisory [30 July 2019]
===
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
OpenSSL Security Advisory [30 July 2019]
Windows builds with insecure path defaults (CVE-2019-1552)
==
Severity: Low
OpenSSL has internal defaults
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
OpenSSL Security Advisory [6 March 2019]
ChaCha20-Poly1305 with long nonces (CVE-2019-1543)
==
Severity: Low
ChaCha20-Poly1305 is an AEAD cipher
Thanks.
-Original Message-
From: openssl-users On Behalf Of Matt
Caswell
Sent: Wednesday, February 27, 2019 11:18 AM
To: openssl-users@openssl.org
Subject: Re: OpenSSL Security Advisory
On 27/02/2019 18:43, Scott Neugroschl wrote:
> Is this a client-side or server-side vulnerabil
Suite 100 |Simi Valley, CA 93063 | Phone 805
> 583-2874|Fax 805 583-0124 |
>
>
>
>
> -Original Message-
> From: openssl-users On Behalf Of OpenSSL
> Sent: Tuesday, February 26, 2019 6:59 AM
> To: openssl-proj...@openssl.org; OpenSSL User Support ML
> ; Ope
On Behalf Of OpenSSL
Sent: Tuesday, February 26, 2019 6:59 AM
To: openssl-proj...@openssl.org; OpenSSL User Support ML
; OpenSSL Announce ML
Subject: OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
OpenSSL Security Advisory [26 February 2019
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
OpenSSL Security Advisory [26 February 2019]
0-byte record padding oracle (CVE-2019-1559)
Severity: Moderate
If an application encounters a fatal protocol
OpenSSL Security Advisory [12 November 2018]
Microarchitecture timing vulnerability in ECC scalar multiplication
(CVE-2018-5407)
===
Severity: Low
OpenSSL ECC scalar
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
OpenSSL Security Advisory [12 June 2018]
Client DoS due to large DH parameter (CVE-2018-0732)
Severity: Low
During key agreement in a TLS handshake
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [16 Apr 2018]
Cache timing vulnerability in RSA Key Generation (CVE-2018-0737)
Severity: Low
The OpenSSL RSA Key
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [27 Mar 2018]
Constructed ASN.1 types with a recursive definition could exceed the stack
(CVE-2018-0739
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [07 Dec 2017]
Read/write after SSL object in error state (CVE-2017-3737)
==
Severity: Moderate
OpenSSL 1.0.2 (starting
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [02 Nov 2017]
bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)
==
Severity: Moderate
There is a carry propagating bug
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [16 Feb 2017]
Encrypt-Then-Mac renegotiation crash (CVE-2017-3733)
Severity: High
During a renegotiation handshake
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [26 Jan 2017]
Truncated packet could crash via OOB read (CVE-2017-3731)
=
Severity: Moderate
If an SSL/TLS server
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [10 Nov 2016]
ChaCha20/Poly1305 heap-buffer-overflow (CVE-2016-7054)
==
Severity: High
TLS connections using *-CHACHA20
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenSSL Security Advisory [26 Sep 2016]
This security update addresses issues that were caused by patches
included in our previous security update, released on 22nd September
2016. Given the Critical
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenSSL Security Advisory [22 Sep 2016]
OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
=
Severity: High
A malicious
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenSSL Security Advisory [3rd May 2016]
Memory corruption in the ASN.1 encoder (CVE-2016-2108)
==
Severity: High
This issue affected versions of OpenSSL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenSSL Security Advisory [1st March 2016]
=
NOTE: With this update, OpenSSL is disabling the SSLv2 protocol by default, as
well as removing SSLv2 EXPORT ciphers. We strongly advise against the use of
SSLv2
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenSSL Security Advisory [28th Jan 2016]
=
NOTE: SUPPORT FOR VERSION 1.0.1 WILL BE ENDING ON 31ST DECEMBER 2016. NO
SECURITY FIXES WILL BE PROVIDED AFTER THAT DATE. UNTIL THAT TIME SECURITY FIXES
ONLY
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenSSL Security Advisory [3 Dec 2015] - Updated [4 Dec 2015]
=
[Updated 4 Dec 2015]: This advisory has been updated to include the details of
CVE-2015-1794, a Low severity issue affecting
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenSSL Security Advisory [3 Dec 2015]
===
NOTE: WE ANTICIPATE THAT 1.0.0t AND 0.9.8zh WILL BE THE LAST RELEASES FOR THE
0.9.8 AND 1.0.0 VERSIONS AND THAT NO MORE SECURITY FIXES WILL BE PROVIDED (AS
PER PREVIOUS
On 10/07/2015 23:03, Jeffrey Walton wrote:
During certificate verification, OpenSSL (starting from version 1.0.1n and
1.0.2b) will attempt to find an alternative certificate chain if the first
attempt to build such a chain fails. An error in the implementation of this
logic can mean that an
In fact, I thought that was the reason we all
had to wait ages before this long standing shortcoming
was fixed.
It almost sound like you are complaining you did not have to wait ages :)
It's the inconsistency of first insisting this cannot go
into a patch and then pushing out a broken
How deep does the certificate chain have to be?
It does not matter.
If I have 2 self-signed CA certificates, and a non-CA certificate is received
for verification, will this hit the problem?
Also, is it a condition of the bug that both CA certificates have to have the
same subject names and
On 10/07/15 13:09, R C Delgado wrote:
Hello,
With regards to CVE-2015-1793, I've seen the example in verify_extra_test.c.
How deep does the certificate chain have to be?
If I have 2 self-signed CA certificates, and a non-CA certificate is
received for verification, will this hit the
Hello,
With regards to CVE-2015-1793, I've seen the example in verify_extra_test.c.
How deep does the certificate chain have to be?
If I have 2 self-signed CA certificates, and a non-CA certificate is
received for verification, will this hit the problem?
Also, is it a condition of the bug that
Thank you very much. It really helps.
On Fri, Jul 10, 2015 at 2:32 PM, Matt Caswell m...@openssl.org wrote:
On 10/07/15 13:09, R C Delgado wrote:
Hello,
With regards to CVE-2015-1793, I've seen the example in
verify_extra_test.c.
How deep does the certificate chain have to be?
If I
On 07/10/2015 09:32 AM, Matt Caswell wrote:
On 10/07/15 13:09, R C Delgado wrote:
Hello,
With regards to CVE-2015-1793, I've seen the example in verify_extra_test.c.
How deep does the certificate chain have to be?
If I have 2 self-signed CA certificates, and a non-CA certificate is
received
Hello,
One further question. Can you please confirm that the alternative
certificate chain feature is enabled by default? It seems to be implied in
all emails regarding this matter, and I'm assuming the Advisory email would
have mentioned it otherwise.
I've searched the OpenSSL code and seen
On 10/07/15 19:34, R C Delgado wrote:
Hello,
One further question. Can you please confirm that the alternative
certificate chain feature is enabled by default? It seems to be implied
in all emails regarding this matter, and I'm assuming the Advisory email
would have mentioned it
During certificate verification, OpenSSL (starting from version 1.0.1n and
1.0.2b) will attempt to find an alternative certificate chain if the first
attempt to build such a chain fails. An error in the implementation of this
logic can mean that an attacker could cause certain checks on
On Thu, Jul 09, 2015 at 01:13:30PM +, Salz, Rich wrote:
This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.
In other words, if you are not using those specific releases -- i.e., the
ones that came out less than 30 days ago -- you do not need to upgrade.
More
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenSSL Security Advisory [9 Jul 2015]
===
Alternative chains certificate forgery (CVE-2015-1793)
==
Severity: High
During certificate verification, OpenSSL
This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.
In other words, if you are not using those specific releases -- i.e., the ones
that came out less than 30 days ago -- you do not need to upgrade.
___
openssl-users mailing list
On 09/07/15 22:46, Jakob Bohm wrote:
On 09/07/2015 15:10, OpenSSL wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenSSL Security Advisory [9 Jul 2015]
===
Alternative chains certificate forgery (CVE-2015-1793
On 09/07/2015 15:10, OpenSSL wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenSSL Security Advisory [9 Jul 2015]
===
Alternative chains certificate forgery (CVE-2015-1793)
==
Severity: High
During
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenSSL Security Advisory [11 Jun 2015]
===
DHE man-in-the-middle protection (Logjam)
A vulnerability in the TLS protocol allows a man
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenSSL Security Advisory [19 Mar 2015]
===
OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291)
=
Severity: High
If a client connects to an OpenSSL 1.0.2
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenSSL Security Advisory [08 Jan 2015]
===
DTLS segmentation fault in dtls1_get_record (CVE-2014-3571)
===
Severity: Moderate
A carefully crafted DTLS
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenSSL Security Advisory [15 Oct 2014]
===
SRTP Memory Leak (CVE-2014-3513)
Severity: High
A flaw in the DTLS SRTP extension parsing code allows an attacker, who
sends
Hi,
Please can I enquire what the actual vulnerability is with...
Information leak in pretty printing functions (CVE-2014-3508)
=
A flaw in OBJ_obj2txt may cause pretty printing functions such as
X509_name_oneline,
: SHA256
OpenSSL Security Advisory [05 Jun 2014]
Resend: first version contained characters which could cause signature
failure.
SSL/TLS MITM vulnerability (CVE-2014-0224)
===
An attacker using
On 6/5/2014 11:31 PM, Green, Gatewood wrote:
Openssl-0.9.8za will not build in FIPS mode. The openssl-fips-1.2(.4) seems to
be missing the symbol BN_consttime_swap.
By the way, the BN_consttime_swap implementation in 1.0.1g (still
downloading 1.0.1h) doesn't seem to completely match its
looked at
1.0.1h as yet.
OpenSSL wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [05 Jun 2014]
Resend: first version contained characters which could cause signature failure.
SSL/TLS MITM vulnerability (CVE-2014-0224
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [05 Jun 2014]
SSL/TLS MITM vulnerability (CVE-2014-0224)
===
An attacker using a carefully crafted handshake can force the use of weak
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [05 Jun 2014]
Resend: first version contained characters which could cause signature failure.
SSL/TLS MITM vulnerability (CVE-2014-0224
as yet.
OpenSSL wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [05 Jun 2014]
Resend: first version contained characters which could cause signature failure.
SSL/TLS MITM vulnerability (CVE-2014-0224
of OpenSSL.
Thanks
—
Juha
On 5/06/2014, at 11:54 pm, OpenSSL open...@openssl.org wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [05 Jun 2014]
Resend: first version contained characters which could cause signature
: 208.206.7455
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of OpenSSL
Sent: Thursday, June 05, 2014 5:54 AM
To: openssl-...@openssl.org; openssl-users@openssl.org;
openssl-annou...@openssl.org
Subject: OpenSSL Security Advisory
Ah, of course! I was so focused on not accessing that routine and not
being able to just link in the obj files that the obvious solution of
using the library properly escaped me! Thanks.
After a Visual Studio 2012 build in directory:
E:\usr_local\src\openssl-1.0.1f_32
I then was able put that
some nice pictures how the bug works: http://www.xkcd.com/1354/
HIH
matthias
--
Sent from my FreeBSD netbook
Matthias Apitz, g...@unixarea.de, http://www.unixarea.de/ f: +49-170-4527211
UNIX since V7 on PDP-11, UNIX on mainframe since ESER 1055 (IBM /370)
UNIX on x86 since SVR4.2
On 11/04/2014 12:58 AM, Viktor Dukhovni wrote:
guru@hein:~/openssl-1.0.1f/apps (sleep 3 ; echo B ; sleep 3) | ./openssl
s_client -connect www.openssl.org:443
If you are using s_client for testing then you should add the -msg
option and see what is being sent.
Responding to a correctly formed
El dÃa Wednesday, April 09, 2014 a las 01:05:22AM -0700, monloi perez
escribió:
True. Thanks for the quick reply.
On Wednesday, April 9, 2014 3:33 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk
wrote:
https://www.openssl.org/news/changelog.html
1.0.1 introduced the heartbeat support.
On 12 Apr 2014, at 17:43, Matthias Apitz g...@unixarea.de wrote:
El dÃa Wednesday, April 09, 2014 a las 01:05:22AM -0700, monloi perez
escribió:
True. Thanks for the quick reply.
On Wednesday, April 9, 2014 3:33 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk
wrote:
El día Saturday, April 12, 2014 a las 09:08:15PM +0200, Michael Tuexen escribió:
What is the exact bug, can someone show a svn/git diff of the first
source version having the bug?
http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4817504d069b4c5082161b02a22116ad75f822b1
Hi,
Thanks
On 12 Apr 2014, at 21:30, Matthias Apitz g...@unixarea.de wrote:
El día Saturday, April 12, 2014 a las 09:08:15PM +0200, Michael Tuexen
escribió:
What is the exact bug, can someone show a svn/git diff of the first
source version having the bug?
El día Saturday, April 12, 2014 a las 09:30:22PM +0200, Matthias Apitz escribió:
El día Saturday, April 12, 2014 a las 09:08:15PM +0200, Michael Tuexen
escribió:
What is the exact bug, can someone show a svn/git diff of the first
source version having the bug?
On Apr 12, 2014, at 3:08 PM, Michael Tuexen michael.tue...@lurchi.franken.de
wrote:
I have read the rumor. It is wrong.
Introduced with intent vs. known to the NSA -- two
different things, right?
I don't have any direct knowledge of what goes on in the
NSA, but if they don't have a
On 12/04/14 21:30, Matthias Apitz wrote:
http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4817504d069b4c5082161b02a22116ad75f822b1
Thanks for the git diff (and the other statements). Could you please be
so kind and point to the exact place of the offending statement (or
missing
El día Saturday, April 12, 2014 a las 03:43:29PM -0400, Michael Smith escribió:
On Apr 12, 2014, at 3:08 PM, Michael Tuexen
michael.tue...@lurchi.franken.de wrote:
I have read the rumor. It is wrong.
Introduced with intent vs. known to the NSA -- two
different things, right?
El día Saturday, April 12, 2014 a las 03:43:29PM -0400, Michael Smith escribió:
On Apr 12, 2014, at 3:08 PM, Michael Tuexen
michael.tue...@lurchi.franken.de wrote:
I have read the rumor. It is wrong.
Introduced with intent vs. known to the NSA -- two
different things, right?
On 12 Apr 2014, at 21:43, Michael Smith m...@smithbowen.net wrote:
On Apr 12, 2014, at 3:08 PM, Michael Tuexen
michael.tue...@lurchi.franken.de wrote:
I have read the rumor. It is wrong.
Introduced with intent vs. known to the NSA -- two
different things, right?
My statement was
On Apr 12, 2014, at 5:40 PM, Michael Tuexen michael.tue...@lurchi.franken.de
wrote:
Introduced with intent vs. known to the NSA -- two
different things, right?
My statement was referring to the Introduced with intend.
Understood. I'm personally quite sure it *wasn't* introduced
with
On 10.04.2014 13:16, Rob Stradling wrote:
On 09/04/14 20:43, Salz, Rich wrote:
Can you please post a good and a bad server example. I have
tested a lot of servers, including 'akamai.com', and they all show
HEARTBEATING at the end:
Look at Victor's recent post about how to patch
The same issue when I tried to port over to windows, the ssl3_write_bytes
is not exposed in the library. There doesn't seem to be an easy workaround
that I can see.
Steve...
On Fri, Apr 11, 2014 at 7:40 AM, Walter H. walte...@mathemainzel.infowrote:
On 10.04.2014 13:16, Rob Stradling wrote:
@openssl.org
Subject: Re: OpenSSL Security Advisory
On 10.04.2014 13:16, Rob Stradling wrote:
On 09/04/14 20:43, Salz, Rich wrote:
Can you please post a good and a bad server
example. I have tested a lot of servers, including 'akamai.com', and they
all show
In debian I solved linking directly static library.
gcc -ansi -pedantic -o heartbleed heartbleed.c -lcrypto \
/usr/lib/x86_64-linux-gnu/libssl.a
Regards
In data venerdì 11 aprile 2014 08:38:07, Steven Kneizys ha scritto:
The same issue when I tried to port over to windows, the
Thanks Leonardo!
On 11/04/14 13:54, Leonardo Secci wrote:
In debian I solved linking directly static library.
gcc -ansi -pedantic -o heartbleed heartbleed.c -lcrypto \
/usr/lib/x86_64-linux-gnu/libssl.a
Regards
In data venerdì 11 aprile 2014 08:38:07, Steven Kneizys ha scritto:
The
On 11/04/2014 10:38 PM, Steven Kneizys wrote:
The same issue when I tried to port over to windows,
the ssl3_write_bytes is not exposed in the library. There doesn't
seem to be an easy workaround that I can see.
The work around is trivial if you wanted to do that.
Change to use the
-Original Message-
From: Matthias Apitz [mailto:g...@unixarea.de]
Sent: Thursday, April 10, 2014 6:41 AM
To: Apitz,Matthias
Subject: Fwd: RE: OpenSSL Security Advisory
- Forwarded message from Salz, Rich rs...@akamai.com -
Date: Wed, 9 Apr 2014 15:43:28 -0400
On 09/04/14 20:43, Salz, Rich wrote:
Can you please post a good and a bad server example. I have tested a lot of
servers, including 'akamai.com', and they all show HEARTBEATING at the end:
Look at Victor's recent post about how to patch openssl/s_client to make your
own test. That's the
On Thu, Apr 10, 2014 at 10:57:35AM +0200, Matthias Apitz wrote:
I have instrumented an openssl 1.0.1f as posted by Victor:
guru@hein:~/openssl-1.0.1f diff ssl/t1_lib.c.unpatched
ssl/t1_lib.c
2671c2671
s2n(payload, p);
---
s2n(0x4000, p);
but I still see HEARTBEATING, for
https://www.openssl.org/news/changelog.html
1.0.1 introduced the heartbeat support.
1.0.0 and earlier are fortunate in that they didnt have it.but then they
didnt have things to stop you from being BEASTed so some you win, some you
lose. ;)
alan
1 - 100 of 153 matches
Mail list logo