[OmniOS-discuss] OmniOS OpenSSL 1.0.1g and CVE-2014-0160

Saso Kiselkov skiselkov.ml at gmail.com
Tue Apr 8 13:44:23 UTC 2014


On 4/8/14, 3:35 PM, Jim Klimov wrote:
> On 2014-04-08 03:51, Theo Schlossnagle wrote:
>> Today was an unfortunate day for the Internet as a particularly
>> devastating and quite longstanding bug was reveal in OpenSSL 1.0.1.
> 
> Thanks for the heads-up!
> 
> Can anyone please elaborate on this question, though: some of the
> legacy systems (i.e. Solaris 10 based) out in the field have not,
> in fact, seen or used OpenSSL past 0.9.8-something; and ran some
> SSL-protected email, openvpn, web or ldap services (though the
> latter is probably using some java security layer). It is however
> not known what SSL implementations and versions were used by the
> users of these systems. Are such setups vulnerable (given that
> the server side had no heartbeat handshake code with the bug) to
> the extent that everything should be urgently upgraded or not?

Anything below OpenSSL 1.0.0 (inclusive) isn't vulnerable to this. (Most
legacy systems, including OI, still run on the OpenSSL 0.9.8
release train)

Cheers,
-- 
Saso


More information about the OmniOS-discuss mailing list