httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: Mini-advisory on heartbeat bug on http://httpd.apache.org/ ?
Date Fri, 11 Apr 2014 16:47:50 GMT
On 11.04.2014 18:05, Jeff Trawick wrote:
> On Fri, Apr 11, 2014 at 10:18 AM, Jeff Trawick <trawick@gmail.com
> <mailto:trawick@gmail.com>> wrote:
> 
>     On Fri, Apr 11, 2014 at 8:56 AM, Rainer M. Canavan
>     <rainer.canavan@sevenval.com <mailto:rainer.canavan@sevenval.com>>
>     wrote:
> 
> 
>         On Apr 11, 2014, at 14:38 , Jeff Trawick <trawick@gmail.com
>         <mailto:trawick@gmail.com>> wrote:
> 
>         > SSL/TLS-enabled configurations of Apache HTTP Server with
>         OpenSSL 1.0.1a-f are vulnerable to CVE-2014-0160, the so called
>         "Heartbleed Bug."

Before 1.0.1a there was 1.0.1 (without a letter) and I expect that
version was already vulnerable. So maybe "OpenSSL 1.0.1 up to 1.0.1f" or
similar.

One might also want to explicitely state that "Any OpenSSL version
smaller than 1.0.1 is not vulnerable.". That takes away the uncertainty,
whether the advisory only cares about the recent version or left out the
older ones deliberately. The term "earlier" instead of "smaller" would
be again misleading, because version number counts, not release date. Oh my.

Regards,

Rainer


Mime
View raw message