Another day … another Openssl Bug

Hello there

There has been a lot of noise around a new bug that openssl has reported , but it seems that this is being blown out of proportions (again) it seems that the bug was introduced on a commit from late April 2015 https://git.openssl.org/?p=openssl.git;a=commit;h=6281abc79623419eae6a64768c478272d5d3a426 and the versions if affects have been around for a month. So far the most used distros seem to have not been affected by this issue .

http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1793.html

https://access.redhat.com/solutions/1523323

 

So … nothing to see here … 😀

 

 

 

 

 

Get your freak on

Hello again

So … as a part of my job I was reading this article about a newly discovered ssl vulnerability , this time on the client side,http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html and I thought, “surely some distros must have disabled this EXPORT ciphers” and right I was ,

Centos/RHEL 6

#   SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

So at least on this point the attach is mitigated as browsers are not allowed to use these ciphers .

Looks good !!! 😀