|
To: midrange-l@xxxxxxxxxxxx
Subject: RE: OpenSSL Vulnerability Notice
From: rob@xxxxxxxxx
Date: Tue, 15 Apr 2014 08:12:28 -0400
Exactly what we do.
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com
From: Mike Cunningham <mike.cunningham@xxxxxxx>
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Date: 04/15/2014 08:08 AM
Subject: RE: OpenSSL Vulnerability Notice
Sent by: midrange-l-bounces@xxxxxxxxxxxx
That is not us. We get cumulative packages and groups every quarter
and apply even if we have not issues
-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx [
mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of rob@xxxxxxxxx
Sent: Tuesday, April 15, 2014 7:41 AM
To: Midrange Systems Technical Discussion
Subject: RE: OpenSSL Vulnerability Notice
Paul,
There are going to people who skip right over this email. Why?
Because they don't like to apply PTF's with the mentality "If it ain't
broke, don't fix it.". It upsets them to find out that they're broke.
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600
to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com
From: "Steinmetz, Paul" <PSteinmetz@xxxxxxxxxx>
To: "'Midrange Systems Technical Discussion'"
<midrange-l@xxxxxxxxxxxx>
Date: 04/14/2014 03:39 PM
Subject: RE: OpenSSL Vulnerability Notice
Sent by: midrange-l-bounces@xxxxxxxxxxxx
Previously, we stated that if running OpenSSL 0.9.8, we were safe.
However, there was additional info in "The Four Hundred" dated 4/14,
that states there are additional issues resolved by multiple PTFs.
http://www.itjungle.com/tfh/tfh041414-story02.html
"That leaves us the unexpected news. While the Heartbleed
vulnerability doesn't impact the IBM i utilities package because it is
running an older version of OpenSSL, other recently discovered OpenSSL
vulnerabilities do impact IBM i. According to Watkins, IBM is
currently working on a patch for CVE-2014-0076, or the "FLUSH+RELOAD
Cache Side-channel Attack," which was disclosed March 25. You will
want to keep an eye out for the PTF when it's ready.
In the last week, IBM has patched several other recently disclosed
OpenSSL
vulnerabilities that do impact the IBM i utility. CVE-2013-0169, or
the "Lucky Thirteen" flaw, was addressed by IBM with PTFs SI49896,
SI49904, and SI49867. CVE-2013-0166, a signature verification flaw,
was addressed with SI49896, SI49904, and SI49867. To view PTF cover
sheets and other related information on security patches for IBM i, go
to the Preventive Service Planning webpage. You will probably want to
apply these patches pronto. You will also want to make sure your other
IBM products (WebSphere, Apache Web server, Notes/Domino) aren't impacted as well.
Several other recently disclosed OpenSSL vulnerabilities that don't
impact
the IBM i OpenSSL utility package include CVE-2013-4353,
CVE-2013-6450, CVE-2013-6449, and CVE-2012-2686.
IBM isn't the only software vendor to use OpenSSL, of course, and
there are several IBM i products that may also be affected by the
Heartbleed flaw, but they don't appear to be in widespread use. This
includes a client for a Subversion change management system from the
Russian software
company Banking Technologies and Consulting, and the old firewall from
Stonesoft (now part of McAfee. There are undoubtedly others.
Townsend Security does use OpenSSL in its Alliance Key Manager
solution, but it doesn't use a version that is affected by Heartbleed,
CEO Patrick Townsend tells IT Jungle. "Townsend Security does NOT use
OpenSSL in any of our IBM i products," Townsend says. The company's
complete statement on
the Heartbleed vulnerability can be read here.
Similarly, Linoma Software, which provides encryption and MFT software
for
IBM i, also doesn't use OpenSSL. Instead it relies on the JSSE
implementation of SSL/TLS for encrypted sessions. You can read
Linoma's take on the matter here.
Now's the fun part: Time to go change all your passwords! If you have
any questions about which websites are particularly susceptible, check
out the
free Heartbleed vulnerability test website, www.ssllabs.com, which was
set
up by Qualys."
-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx [
mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Pete Helgren
Sent: Thursday, April 10, 2014 8:56 AM
To: Midrange Systems Technical Discussion
Subject: Re: OpenSSL Vulnerability Notice
If that is an SSH connection, you aren't vulnerable. SSH only uses
the OpenSSL library for cryptography...the TLS portion of OpenSSL is
what uses
the "heartbeat" and has the problem. So, SSH (say puTTY using SSH)
isn't vulnerable....
Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java
On 4/9/2014 6:10 PM, Jerry Draper wrote:
When I connect to a server using OpenSSL I get this response when
the command line switch is set to -vvv:
OpenSSH_4.7p1, OpenSSL 0.9.8y 5 Feb 2013
Is this my client version or the version of the server?
Thanks,
Jerry
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
