oss-security - Re: Other instances of CVE-2014-0160

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Tue, 08 Apr 2014 21:44:45 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
CC: Kurt Seifried <kseifried@...hat.com>
Subject: Re: Other instances of CVE-2014-0160 - mod_spdy from
 Google

On 04/ 8/14 08:59 PM, Kurt Seifried wrote:
> So it appears there are projects that statically compile OpenSSL into
> their software, one example:
>
> https://code.google.com/p/mod-spdy/

https://www.stunnel.org/sdf_ChangeLog.html lists:

   Version 5.01, 2014.04.08, urgency: HIGH:
     Security bugfixes
         OpenSSL DLLs updated to version 1.0.1g. This version mitigates
         TLS heartbeat read overrun (CVE-2014-0160).

but that appears be only for the precompiled Windows binaries they offer for
download, as it doesn't contain a copy of OpenSSL in the source tarballs for
Linux/UNIX distros, but instead searches for one in configure.ac.

-- 
	-Alan Coopersmith-              alan.coopersmith@...cle.com
	 Oracle Solaris Engineering - http://blogs.oracle.com/alanc

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.