Date: Tue, 08 Apr 2014 21:44:45 -0700 From: Alan Coopersmith <alan.coopersmith@...cle.com> To: oss-security@...ts.openwall.com CC: Kurt Seifried <kseifried@...hat.com> Subject: Re: Other instances of CVE-2014-0160 - mod_spdy from Google On 04/ 8/14 08:59 PM, Kurt Seifried wrote: > So it appears there are projects that statically compile OpenSSL into > their software, one example: > > https://code.google.com/p/mod-spdy/ https://www.stunnel.org/sdf_ChangeLog.html lists: Version 5.01, 2014.04.08, urgency: HIGH: Security bugfixes OpenSSL DLLs updated to version 1.0.1g. This version mitigates TLS heartbeat read overrun (CVE-2014-0160). but that appears be only for the precompiled Windows binaries they offer for download, as it doesn't contain a copy of OpenSSL in the source tarballs for Linux/UNIX distros, but instead searches for one in configure.ac. -- -Alan Coopersmith- alan.coopersmith@...cle.com Oracle Solaris Engineering - http://blogs.oracle.com/alanc
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.