[OmniOS-discuss] OmniOS OpenSSL 1.0.1g and CVE-2014-0160

Jim Klimov jimklimov at cos.ru
Tue Apr 8 13:35:27 UTC 2014


On 2014-04-08 03:51, Theo Schlossnagle wrote:
> Today was an unfortunate day for the Internet as a particularly
> devastating and quite longstanding bug was reveal in OpenSSL 1.0.1.

Thanks for the heads-up!

Can anyone please elaborate on this question, though: some of the
legacy systems (i.e. Solaris 10 based) out in the field have not,
in fact, seen or used OpenSSL past 0.9.8-something; and ran some
SSL-protected email, openvpn, web or ldap services (though the
latter is probably using some java security layer). It is however
not known what SSL implementations and versions were used by the
users of these systems. Are such setups vulnerable (given that
the server side had no heartbeat handshake code with the bug) to
the extent that everything should be urgently upgraded or not?

Thanks,
//Jim


More information about the OmniOS-discuss mailing list