On Thu, Apr 10, 2014 at 11:57 AM, Greg Freemyer <greg.freemyer@gmail.com> wrote:
On Thu, Apr 10, 2014 at 11:14 AM, Lew Wolfgang <wolfgang@sweet-haven.com> wrote:
On 04/10/2014 07:36 AM, jdd wrote:
Le 10/04/2014 16:31, Lew Wolfgang a écrit :
What can those users running openSuSE 12.2 do to fix the problem short of upgrading to 13.1?
let them run. I have servers running 12.1 because I never has time to update them. Of course nothing that have any value
I had some years ago a 2010 server running debian 3.0, with very old hardware and a config nobody could uderstand why it worked... I replaced it when the hardware failed
as far as I can see, the traffic of any of these servers is so low I don't thing they are compromised :-( - but I may be wrong
But my understanding is (hope I'm wrong!) that both servers and clients are affected. If you have a vulnerable SSL library on your home desktop and you happen to visit a compromised web server, that web server can exfiltrate all your RAM-resident data without your knowledge.
I think that openSuSE 12.1 is okay and was never vulnerable. 12.2 and up are vulnerable.
Regards, Lew
Lew,
I hope your wrong. I've only read about server side issues so far. That is bad enough.
Greg
Shit, you're not wrong. http://www.theregister.co.uk/2014/04/10/many_clientside_vulns_in_heartbleed_... At least for openSUSE users the policy is that openSSL never be hardlinked to an app. Thus patching the library and restarting any apps using it will address the vulnerability. But it means the historical window of opportunity was huge. And for anyone that runs windows, they often hardlink in the openSSL library instead of using a shared DLL. That means that every application will need to be checked and upgraded if needed in windows. Can I crawl back in a hole now? Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org