OpenSSL Security issues
Alan DeKok
aland at deployingradius.com
Tue Apr 8 00:00:07 CEST 2014
Arran Cudbard-Bell wrote:
> That's really bad. Think we should add a configure time check to prevent
> the server being built against vulnerable versions?
https://www.openssl.org/news/secadv_20140407.txt
... Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
Wow. The potential side-effects of this problem are enormous. ANY
site using TLS for ANYTHING can have ANY memory read by an attacker.
i.e. secrets, private keys, etc.
Alan DeKok.
More information about the Freeradius-Users
mailing list