OpenSSL Security issues
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Tue Apr 8 00:12:39 CEST 2014
On 7 Apr 2014, at 23:00, Alan DeKok <aland at deployingradius.com> wrote:
> Arran Cudbard-Bell wrote:
>> That's really bad. Think we should add a configure time check to prevent
>> the server being built against vulnerable versions?
>
> https://www.openssl.org/news/secadv_20140407.txt
>
> ... Users unable to immediately
> upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
>
> Wow. The potential side-effects of this problem are enormous. ANY
> site using TLS for ANYTHING can have ANY memory read by an attacker.
>
> i.e. secrets, private keys, etc.
Uhuh. That'd be a compile and link time check for FreeRADIUS then.
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/mailman/private/freeradius-users/attachments/20140407/5f92c3db/attachment.pgp>
More information about the Freeradius-Users
mailing list