Correction: only the OpenVPN Windows client; all others use the OS' SSL.
Royce
On Thu, Jul 9, 2015 at 1:36 PM, Royce Williams <royce@tycho.org> wrote:
> What I know so far (see my link for full link/proof contexts):
>
> http://www.techsolvency.com/story-so-far/cve-2015-1793_openssl-cert-forgery/
>
> Affected
>
> Amazon AWS (ALAS-2015-564), if you patched for Logjam (ALAS-2015-550)
> Browsers and clients locally compiled against a patched OpenSSL (curl,
> fetch, links, lynx, wget)
> Debian unstable and testing
> FreeBSD (10.2 and 10-STABLE only)
> OmniOS
> OpenVPN clients, except for Android and iOS)
> sparklabs Viscosity VPN client, as per @mig5 tweet, using 1.0.2c
> Ubuntu (Wily Werewolf only)
>
> Not affected
>
> Akamai
> Android apps (most) "since they don't validate certificates properly
> anyway" (Chris Wysopal) and confirmed by Adam Langley - "Android is
> BoringSSL now but never picked up the bug when it was OSSL."
> BeyondTrust
> Browsers using NSS (Firefox, TorBrowser), SChannel (IE), BoringSSL
> (Chrome), or Apple SecureTransport (Safari)
> CentOS 5,6,7 (predate June 2015? - need to confirm this)
> Debian stable
> FreeBSD (10.1, 9.x and older, and 10.x-STABLE prior to 2015-06-11)
> Imperva/Incapsula
> LibreSSL
> Mullvad VPN client
> OpenSUSE (and closed bug report) (Meissner tweet)
> Rapid7 products
> RedHat
> SafeLogic
> Ubuntu (non-beta versions)
> VMware ESXI? (OpenSSL not bumped since 1.0.1h, for Heartbleed?)
> Zimbra
>
> May be affected
>
> Juniper products (pre-announcement link)
> Tunnelblick VPN? (not yet confirmed, claimed by Mullvad)
> Ubiquiti gear (unresolved starter thread)
>
>
> Royce
>
> On Thu, Jul 9, 2015 at 1:31 PM, R Denison <gaijin@gci.net> wrote:
>> ($x}buntu 15.10 drivers, start your patches.
>>
>> https://mta.openssl.org/pipermail/openssl-announce/2015-July/000040.html
>>
>> RHEL / CEntOS don't appear to be affected (CEntOS 6 ships with 1.0.1e, don't
>> know about 7.x.)
>>
>> https://mta.openssl.org/pipermail/openssl-announce/2015-July/000040.html
>> ---------
>> To unsubscribe, send email to <aklug-request@aklug.org>
>> with 'unsubscribe' in the message body.
>>
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Thu Jul 9 13:46:26 2015
This archive was generated by hypermail 2.1.8 : Thu Jul 09 2015 - 13:46:26 AKDT