OpenSSL and detecting whether bugs have been patched

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> On 5 Mar 2015, at 12:23, Salz, Rich <rsalz at akamai.com> wrote:
>> if (!openssl_is_patched("CVE-2014-0160?)) {
>>   complain_vociferously();
>> }
> 
> That's an interesting idea.  Of course the CVE list would grow, so perhaps arrays of ints are better
> 	Int OPENSSL_cve_fixed(int year, int vuln);;
> 
> ?

This feels onerous... I think this would only affect vendors who release their own patched versions. OpenSSL team should probably not have to deal with their problems; using latest version of upstream OpenSSL you'd be fine to verify the version number.
Maybe it's just a case of the vendor (RedHat etc.) should come up with a solution - a /usr/share/openssl/heartbleed_fixed file added to the package, or a /usr/share/openssl/patchlist file containing list of patches applied. Freeradius can then check this based on the distribution's way of dealing with it.

Jason


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux