7 Apr
2014
7 Apr
'14
6:12 p.m.
On 7 Apr 2014, at 23:00, Alan DeKok <aland@deployingradius.com> wrote:
Arran Cudbard-Bell wrote:
That's really bad. Think we should add a configure time check to prevent the server being built against vulnerable versions?
https://www.openssl.org/news/secadv_20140407.txt
... Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
Wow. The potential side-effects of this problem are enormous. ANY site using TLS for ANYTHING can have ANY memory read by an attacker.
i.e. secrets, private keys, etc.
Uhuh. That'd be a compile and link time check for FreeRADIUS then. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2