OpenSSL Security issues
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Mon Apr 7 23:45:35 CEST 2014
On 7 Apr 2014, at 22:18, Alan DeKok <aland at deployingradius.com> wrote:
> This is a bad one:
>
> http://heartbleed.com/
>
> ...
> The Heartbleed bug allows anyone on the Internet to read the memory of
> the systems protected by the vulnerable versions of the OpenSSL software.
> ...
>
> * OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
> * OpenSSL 1.0.1g is NOT vulnerable
> * OpenSSL 0.9.8 branch is NOT vulnerable
>
> Everyone using TLS methods with EAP are likely vulnerable. Anyone
> using RadSec is likely vulnerable.
>
> Please check which version of OpenSSL you are using.
That's really bad. Think we should add a configure time check to prevent
the server being built against vulnerable versions?
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/mailman/private/freeradius-users/attachments/20140407/c0c27338/attachment.pgp>
More information about the Freeradius-Users
mailing list