[aklug] Re: OpenSSL Security Issue

From: Royce Williams <royce@tycho.org>
Date: Thu Jul 09 2015 - 13:36:51 AKDT

What I know so far (see my link for full link/proof contexts):

http://www.techsolvency.com/story-so-far/cve-2015-1793_openssl-cert-forgery/

Affected

Amazon AWS (ALAS-2015-564), if you patched for Logjam (ALAS-2015-550)
Browsers and clients locally compiled against a patched OpenSSL (curl,
fetch, links, lynx, wget)
Debian unstable and testing
FreeBSD (10.2 and 10-STABLE only)
OmniOS
OpenVPN clients, except for Android and iOS)
sparklabs Viscosity VPN client, as per @mig5 tweet, using 1.0.2c
Ubuntu (Wily Werewolf only)

Not affected

Akamai
Android apps (most) "since they don't validate certificates properly
anyway" (Chris Wysopal) and confirmed by Adam Langley - "Android is
BoringSSL now but never picked up the bug when it was OSSL."
BeyondTrust
Browsers using NSS (Firefox, TorBrowser), SChannel (IE), BoringSSL
(Chrome), or Apple SecureTransport (Safari)
CentOS 5,6,7 (predate June 2015? - need to confirm this)
Debian stable
FreeBSD (10.1, 9.x and older, and 10.x-STABLE prior to 2015-06-11)
Imperva/Incapsula
LibreSSL
Mullvad VPN client
OpenSUSE (and closed bug report) (Meissner tweet)
Rapid7 products
RedHat
SafeLogic
Ubuntu (non-beta versions)
VMware ESXI? (OpenSSL not bumped since 1.0.1h, for Heartbleed?)
Zimbra

May be affected

Juniper products (pre-announcement link)
Tunnelblick VPN? (not yet confirmed, claimed by Mullvad)
Ubiquiti gear (unresolved starter thread)

Royce

On Thu, Jul 9, 2015 at 1:31 PM, R Denison <gaijin@gci.net> wrote:
> ($x}buntu 15.10 drivers, start your patches.
>
> https://mta.openssl.org/pipermail/openssl-announce/2015-July/000040.html
>
> RHEL / CEntOS don't appear to be affected (CEntOS 6 ships with 1.0.1e, don't
> know about 7.x.)
>
> https://mta.openssl.org/pipermail/openssl-announce/2015-July/000040.html
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Thu Jul 9 13:37:33 2015

This archive was generated by hypermail 2.1.8 : Thu Jul 09 2015 - 13:37:33 AKDT