Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 08 Apr 2014 21:44:45 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
CC: Kurt Seifried <kseifried@...hat.com>
Subject: Re: Other instances of CVE-2014-0160 - mod_spdy from
 Google

On 04/ 8/14 08:59 PM, Kurt Seifried wrote:
> So it appears there are projects that statically compile OpenSSL into
> their software, one example:
>
> https://code.google.com/p/mod-spdy/

https://www.stunnel.org/sdf_ChangeLog.html lists:

   Version 5.01, 2014.04.08, urgency: HIGH:
     Security bugfixes
         OpenSSL DLLs updated to version 1.0.1g. This version mitigates
         TLS heartbeat read overrun (CVE-2014-0160).

but that appears be only for the precompiled Windows binaries they offer for
download, as it doesn't contain a copy of OpenSSL in the source tarballs for
Linux/UNIX distros, but instead searches for one in configure.ac.

-- 
	-Alan Coopersmith-              alan.coopersmith@...cle.com
	 Oracle Solaris Engineering - http://blogs.oracle.com/alanc

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ