OpenSSL Security issues
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Tue Apr 8 22:32:46 CEST 2014
On 8 Apr 2014, at 20:42, Alan Buxey <A.L.M.Buxey at lboro.ac.uk> wrote:
> But sites (well, admins) who are unaware may enable the cache. .. It which case there should be an interlock which means they must also turn off the openssl version check safety trigger too?
>
> As the heartbleed issue isn't as shocking as feared for freeradius is there any need for the current check to be so hard on you if you've got 1.0.1 < g installed now? (However, I'm guessing yes if you run other SSL/TLS services on the same box eg Web server since attacker can scan your memory slowly, so just protecting them from themselves)
Memory protection should kick in and trigger a SEGV if they tried to read memory alloced to another process.
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/mailman/private/freeradius-users/attachments/20140408/bc74a4e4/attachment.pgp>
More information about the Freeradius-Users
mailing list