Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed"

David Hubbard dhubbard at dino.hostasaurus.com
Tue Apr 8 16:11:32 UTC 2014

1.0.1 was not deployed until RHEL 6.5.  RedHat released patches
for RHEL last night, and CentOS followed suit a few minutes

-----Original Message-----
From: Michael Thomas [mailto:mike at mtcc.com] 
Sent: Tuesday, April 08, 2014 12:03 PM
To: nanog at nanog.org
Subject: Re: Fwd: Serious bug in ubiquitous OpenSSL library:

Just as a data point, I checked the servers I run and it's a good thing
I didn't reflexively update them first.
On Centos 6.0, the default openssl is 1.0.0 which supposedly doesn't
have the vulnerability, but the ones queued up for update do. I assume
that redhat will get the patched version soon but be careful!


On 04/07/2014 10:06 PM, Paul Ferguson wrote:
> Hash: SHA256
> I'm really surprised no one has mentioned this here yet...
> FYI,
> - - ferg
> Begin forwarded message:
>> From: Rich Kulawiec <rsk at gsp.org> Subject: Serious bug in ubiquitous 
>> OpenSSL library: "Heartbleed" Date: April 7, 2014 at 9:27:40 PM EDT
>> This reaches across many versions of Linux and BSD and, I'd presume, 
>> into some versions of operating systems based on them.
>> OpenSSL is used in web servers, mail servers, VPNs, and many other 
>> places.
>> Writeup: Heartbleed: Serious OpenSSL zero day vulnerability revealed 
>> http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerabilit
>> y-revealed-7000028166/
>>   Technical details: Heartbleed Bug http://heartbleed.com/
>> OpenSSL versions affected (from link just above):  OpenSSL 1.0.1 
>> through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT 
>> vulnerable (released today, April 7, 2014) OpenSSL 1.0.0 branch is 
>> NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable
> - --
> Paul Ferguson
> VP Threat Intelligence, IID
> PGP Public Key ID: 0x54DC85B2
> Version: GnuPG v2.0.22 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 3Dvt4QB54os4/yewQQ8A/0dhFZ/YuEdA81dkNfR9KIf1ZF72CyslSPxPvkDcTz5e
> =aAzE

More information about the NANOG mailing list