[afnog] Time to update openssl

Phil Regnauld regnauld at nsrc.org
Thu Apr 10 09:54:05 UTC 2014


No! Debian, for instance, does backporting, and has patched the 1.0.1e
to not be vulnerable.

The *only* way to be certain is to test. Please, do not rely on the
version number, and don't use openssl itself (the command) to test
for heartbeat, since not all versions implement the extension client
side.

Phil


Frankosiligi Solomon (franco.noc) writes:
> Or otherwise,
> 
> Rely on checking your OpenSSL version directly and if falls under
> 
> OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
> 
> OpenSSL 1.0.1g is NOT vulnerable
> 
> OpenSSL 1.0.0 branch is NOT vulnerable
> 
> OpenSSL 0.9.8 branch is NOT vulnerable



More information about the afnog mailing list