[OmniOS-discuss] OmniOS OpenSSL 1.0.1g and CVE-2014-0160
Jim Klimov
jimklimov at cos.ru
Tue Apr 8 14:24:00 UTC 2014
On 2014-04-08 15:44, Saso Kiselkov wrote:
> Anything below OpenSSL 1.0.0 (inclusive) isn't vulnerable to this. (Most
> legacy systems, including OI, still run on the OpenSSL 0.9.8
> release train)
Thanks, I've read that statement ;)
I just wanted to make sure that if we have an OpenSSL 0.9.8 enabled
server and an OpenSSL 1.0.1* (vulnerable) client, and someone has
sniffed and saved the traffic, does indeed or does not that disclose
the sensitive data?
For instance, I can't yet figure out if this heartbeat handshake is
something new introduced in 1.0.1 series and so the whole procedure
is skipped when a new OpenSSL connects with an old OpenSSL? Or not?..
Thanks,
//Jim
More information about the OmniOS-discuss
mailing list