Date: Wed, 9 Apr 2014 15:47:25 +0100 From: "Steven Hartland" <killing@multiplay.co.uk> To: "Karl Denninger" <karl@denninger.net>, <freebsd-security@freebsd.org> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:06.openssl Message-ID: <8A7E8A9A8B034A3498601347FFFF088C@multiplay.co.uk> References: <mailman.384.1397005594.1401.freebsd-security@freebsd.org> <20140409142136.GA871@faust.sbb.rs> <53455877.5020006@denninger.net>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message -----
From: "Karl Denninger" <karl@denninger.net>
On 4/9/2014 9:21 AM, Zoran Kolic wrote:
>> Advisory claims 10.0 only to be affected. Patches to
>> branch 9 are not of importance on the same level?
>>
>>
> 9 (and before) were only impacted if you loaded the newer OpenSSL from
> ports. A fair number of people did, however, as a means of preventing
> BEAST attack vectors.
>
> If you did, then you need to update that and have all your private keys
> re-issued. If you did not then you never had the buggy code in the
> first place.
Actually they are vulnerable without any ports install just not to
CVE-2014-0160 only CVE-2014-0076, both of which where fixed by
SA-14:06.openssl
Regards
Steve
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8A7E8A9A8B034A3498601347FFFF088C>