On 04/10/2014 06:40 AM, Greg Freemyer wrote:
This is a critical bug/vulnerability with huge impacts. Maybe the worst to ever effect Linux, but it only affects the server side of a SSL connection as I understand it. For most opensuse users it is not an issue from an admin perspective.
Hi Greg, As I understand it, clients are also vulnerable if they connect to a compromised server using SSL. Note that this would include https web traffic, as well as secure POP/IMAP and SMTP Submission. So a compromised server would be able to suck private data from your local desktop without your knowing about it. Also, a completed and authenticated session to a remote server isn't required. A partial connection will suffice. <<< BIG QUESTION >>> What can those users running openSuSE 12.2 do to fix the problem short of upgrading to 13.1? Do/will RPMs be available for manual install? It looks like openSuSE 12.1 isn't affected and zipper fixes 12.3 and 13.1: zypper in -t patch openSUSE-2014-277 Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org