Date: Tue, 08 Apr 2014 21:44:45 -0700 From: Alan Coopersmith <alan.coopersmith@...cle.com> To: oss-security@...ts.openwall.com CC: Kurt Seifried <kseifried@...hat.com> Subject: Re: Other instances of CVE-2014-0160 - mod_spdy from Google On 04/ 8/14 08:59 PM, Kurt Seifried wrote: > So it appears there are projects that statically compile OpenSSL into > their software, one example: > > https://code.google.com/p/mod-spdy/ https://www.stunnel.org/sdf_ChangeLog.html lists: Version 5.01, 2014.04.08, urgency: HIGH: Security bugfixes OpenSSL DLLs updated to version 1.0.1g. This version mitigates TLS heartbeat read overrun (CVE-2014-0160). but that appears be only for the precompiled Windows binaries they offer for download, as it doesn't contain a copy of OpenSSL in the source tarballs for Linux/UNIX distros, but instead searches for one in configure.ac. -- -Alan Coopersmith- alan.coopersmith@...cle.com Oracle Solaris Engineering - http://blogs.oracle.com/alanc
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ