[afnog] Time to update openssl
Phil Regnauld
regnauld at nsrc.org
Thu Apr 10 09:54:05 UTC 2014
No! Debian, for instance, does backporting, and has patched the 1.0.1e
to not be vulnerable.
The *only* way to be certain is to test. Please, do not rely on the
version number, and don't use openssl itself (the command) to test
for heartbeat, since not all versions implement the extension client
side.
Phil
Frankosiligi Solomon (franco.noc) writes:
> Or otherwise,
>
> Rely on checking your OpenSSL version directly and if falls under
>
> OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
>
> OpenSSL 1.0.1g is NOT vulnerable
>
> OpenSSL 1.0.0 branch is NOT vulnerable
>
> OpenSSL 0.9.8 branch is NOT vulnerable
More information about the afnog
mailing list