search for: heartbleed

For even more information about "Heartbleed". -Connie Sieh ---------- Forwarded message ---------- Date: Wed, 9 Apr 2014 12:27:54 -0500 From: The SANS Institute <NewsBites at sans.org> Subject: FLASH NewsBites - Heartbleed Open SSL Vulnerability FLASH NewsBites - Heartbleed Open SSL Vulnerability FLASH NewsBites are issued onl...

Do we know if dovecot is vulnerable to the heartbleed SSL problem? I'm running dovecot-2.0.9 and openssl-1.01, the latter being intrinsically vulnerable. An on-line tool says that my machine is not affected on port 993 but it would be nice to know for sure if we were vulnerable for a while. (Naturally I've blocked it anyway!). Thanks John

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Earlier in the day today, we were made aware of a serious issue in openssl as shipped in CentOS-6.5 ( including updates issued since CentOS-6.5 was released ); This issue is addressed in detail at http://heartbleed.com/ Upstream have not released a patched version of openssl, although we are reliably informed that there is quite a bit of effort ongoing to release a patched package soon. As an interim workaround, we are releasing packages that disable the exploitable code using the published workaround( tls...

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Earlier in the day today, we were made aware of a serious issue in openssl as shipped in CentOS-6.5 ( including updates issued since CentOS-6.5 was released ); This issue is addressed in detail at http://heartbleed.com/ Upstream have not released a patched version of openssl, although we are reliably informed that there is quite a bit of effort ongoing to release a patched package soon. As an interim workaround, we are releasing packages that disable the exploitable code using the published workaround( tls...

Subject: Heartbleed Toolkit | Secure, Detect, & Repair Date: Thu, 10 Apr 2014 18:12:16 -0400 From: Red Hat <email at engage.redhat.com> View in a Web Browser <http://app.engage.redhat.com/e/es.aspx?s=1795&e=352069&elq=852ad1748d834dbeac7f2adf6f4b1679> "Follow us on Twitte...

...gt;> could have been stolen from it... I realized then that that level big >> flop >> never happened to RedHat. I couldn't even point to something that would >> constitute big flop RedHat of then. One only criticizes something while >> one cares about it ;-) > > Heartbleed was pretty scary, no? I'd consider that at least as bad as > the predictable number generator issue. > Well, heratbleed and shellshock were pretty much global: all systems (not only Linuxes, not to say particular Linux distributions - my FreeBSD boxes were affected too) using openssl or...

I know I'm slightly OT here, asking about RHEL, but since Centos is now a part of RH, I'm hoping I won't be summarily ejected. I've seen several articles that listed Centos 6.x as vulnerable, but DID NOT LIST RHEL 6. I'd think that if Centos 6.x is vulnerable, then so would RHEL 6.x, since Centos is made from RHEL sources. Does anyone know for sure either way? thanks! --

Kostya, I took a quick stab at patching libFuzzer for Apple, but so far I'm thinking something else is incorrect. Patch is attached but when I went to reproduce the examples, the toy example went fine, but with PCRE and Heartbleed I noticed the coverage statistics were pretty poor, and didn't find anything. Admittedly I moved onto Heartbleed pretty quickly so PCRE probably isn't the best judge. But here's a sample log from the Heartbleed session (they were all similar): $ cat fuzz-11.log Seed: 3157140177 Set...

...evel big >>>> flop >>>> never happened to RedHat. I couldn't even point to something that >>>> would >>>> constitute big flop RedHat of then. One only criticizes something >>>> while >>>> one cares about it ;-) >>> Heartbleed was pretty scary, no? I'd consider that at least as bad as >>> the predictable number generator issue. >>> >> Well, heratbleed and shellshock were pretty much global: all systems >> (not >> only Linuxes, not to say particular Linux distributions - my FreeBSD...

...ep you busy for a long while. > > Off the top of my head: > Thank you. The CentOS wiki pages found by a title page search are: http://wiki.centos.org/HelpOnConfiguration/SecurityPolicy http://wiki.centos.org/HowTos/Security http://wiki.centos.org/Security http://wiki.centos.org/Security/Heartbleed http://wiki.centos.org/Security/POODLE http://wiki.centos.org/Security/Shellshock with translations for the zh and zh-tw languages.

...; flop >>>>> never happened to RedHat. I couldn't even point to something that >>>>> would >>>>> constitute big flop RedHat of then. One only criticizes something >>>>> while >>>>> one cares about it ;-) >>>> Heartbleed was pretty scary, no? I'd consider that at least as bad as >>>> the predictable number generator issue. >>>> >>> Well, heratbleed and shellshock were pretty much global: all systems >>> (not >>> only Linuxes, not to say particular Linux distri...

Hi all, Ok, been wanting to do this for a while, and I after the Heartbleed fiasco, the boss finally agreed to let me buy some real certs... Until now, we've been using self-signed certs with the following dovecot config: ssl = required ssl_cert = </etc/ssl/ourCerts/imap.pem ssl_key = </etc/ssl/ourCerts/imap_key.pem Now, I've created new keys/certs and t...

...ounce-request at centos.org You can reach the person managing the list at centos-announce-owner at centos.org When replying, please edit your Subject line so it is more specific than "Re: Contents of CentOS-announce digest..." Today's Topics: 1. CVE-2014-0160 CentOS 6 openssl heartbleed workaround (Karanbir Singh) 2. CESA-2014:0376 Important CentOS 6 openssl Update (Karanbir Singh) ---------------------------------------------------------------------- Message: 1 Date: Tue, 08 Apr 2014 03:11:01 +0100 From: Karanbir Singh <kbsingh at centos.org> Subject: [CentOS-an...

On Sun, January 11, 2015 5:16 pm, Keith Keller wrote: > On 2015-01-11, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote: >> >> Indeed. Or another system altogether (sihg). I'm just extending your >> thought half a step farther ;-) > > Or going even farther, if you like CentOS but not systemd, do the work > to get CentOS working without it. Unhappy Debian

...s. I'd like to have locked version repos for each role with tested RPMs. Then perhaps quarterly apply any updates. It would be nice to have something showing which updates are available for these locked repos. I'd also want to be able to just push single update RPMs into the repo (think heartbleed) I've had a look at spacewalk and katello, but they seem a bit complicated. Katello seems closer to what I'm looking for with its versioned "Content Views", but I don't see how I could selectively include some new packages in it. It seems like it only handles making new s...

...ave been stolen from it... I realized then that that level big >>> flop >>> never happened to RedHat. I couldn't even point to something that would >>> constitute big flop RedHat of then. One only criticizes something while >>> one cares about it ;-) >> Heartbleed was pretty scary, no? I'd consider that at least as bad as >> the predictable number generator issue. >> > Well, heratbleed and shellshock were pretty much global: all systems (not > only Linuxes, not to say particular Linux distributions - my FreeBSD boxes > were affected...

Hi all, The blog entry [1] suggest that one of the buildbots constantly fuzzes clang and clang-format. However, the actual bot [2] only tests the fuzzer itself over a well-known set of bugs in standard software (eg. Heartbleed [3] seems to be among them). Has there actually ever been a buildbot that fuzzes clang/LLVM itself? Another (obvious?) fuzzing candidate would be the LLVM's bitcode reader. I ran afl-fuzz on it and it found lots of failed assertions within seconds. Isn't fuzzing done on a regular basis as...

After reading about the 2 major SSL (and TLS?) weaknesses discovered this year, I was wondering how it affects asterisk. Does the SIP authentication use TLS - or something that was recently broken? Is there a risk of exposing passwords? Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL:

....llvm.org> wrote: >> >> Hi all, >> >> The blog entry [1] suggest that one of the buildbots constantly fuzzes >> clang and clang-format. However, the actual bot [2] only tests the >> fuzzer itself over a well-known set of bugs in standard software (eg. >> Heartbleed [3] seems to be among them). > > Isn’t it this stage? http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux-fuzzer/builds/2755/steps/stage2%2Fasan%2Bassertions%20check-fuzzer/logs/stdio To me it looks like just the compilation and the unit+regression tests ("ninja check-fuzzer",...

...gt;> never happened to RedHat. I couldn't even point to something that >>>>>> would >>>>>> constitute big flop RedHat of then. One only criticizes something >>>>>> while >>>>>> one cares about it ;-) >>>>> Heartbleed was pretty scary, no? I'd consider that at least as bad as >>>>> the predictable number generator issue. >>>>> >>>> Well, heratbleed and shellshock were pretty much global: all systems >>>> (not >>>> only Linuxes, not to say par...