> On 5 Mar 2015, at 12:23, Salz, Rich <rsalz at akamai.com> wrote:
>> if (!openssl_is_patched("CVE-2014-0160?)) {
>> complain_vociferously();
>> }
>
> That's an interesting idea. Of course the CVE list would grow, so perhaps arrays of ints are better
> Int OPENSSL_cve_fixed(int year, int vuln);;
>
> ?
This feels onerous... I think this would only affect vendors who release their own patched versions. OpenSSL team should probably not have to deal with their problems; using latest version of upstream OpenSSL you'd be fine to verify the version number.
Maybe it's just a case of the vendor (RedHat etc.) should come up with a solution - a /usr/share/openssl/heartbleed_fixed file added to the package, or a /usr/share/openssl/patchlist file containing list of patches applied. Freeradius can then check this based on the distribution's way of dealing with it.
Jason
