https://threatpost.com/openssl-patches-critical-certificate-validation-vulnerability/113703
This is a big one: if you did an 11 June OpenSSL update, you need to take care NOW.
Thanks for the heads up - we started getting queries on this and found out we're not vulnerable.
WTF is wrong with openssl.
I think they updated the March OpenSSL vulnerability just for you Dean...
Cisco Identity Services Engine (ISE) CSCut46056 1.3.x (4-July-2015)
Hopefully you are running 2.0
BTW alot of the software fixes for the June OpenSSL are due late summer into fall.
We're running CounterACT for NAC, but there's a lot of NAC stuff that's equal headaches, no matter what the platform is, because of all the crazy crap that plugs into it.
I want to punch the guy that made it so we can't run full packet captures from an iPhone. Isn't it a crime to not allow a device on the network to run packet captures? Don't they have Rights of Things?
MAKE IT STOP.....
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150710-openssl
:awesome:
Can we all just agree that, at this point, OpenSSL is now broker than hell?
Quote from: deanwebb on July 13, 2015, 08:25:22 AM
Can we all just agree that, at this point, OpenSSL is now broker than hell?
Agreed. But on the other hand, with the attention the software is getting now, I think it's likely to become the most secure encryption software of 2016.
Quote from: Reggle on July 14, 2015, 05:22:56 AM
Quote from: deanwebb on July 13, 2015, 08:25:22 AM
Can we all just agree that, at this point, OpenSSL is now broker than hell?
Agreed. But on the other hand, with the attention the software is getting now, I think it's likely to become the most secure encryption software of 2016.
Well, that's what we hoped for 2015 with all the OpenSSL bugs from 2014...
Quote from: deanwebb on July 14, 2015, 11:22:44 AM
Quote from: Reggle on July 14, 2015, 05:22:56 AM
Quote from: deanwebb on July 13, 2015, 08:25:22 AM
Can we all just agree that, at this point, OpenSSL is now broker than hell?
Agreed. But on the other hand, with the attention the software is getting now, I think it's likely to become the most secure encryption software of 2016.
Well, that's what we hoped for 2015 with all the OpenSSL bugs from 2014...
The problem is what are you going to replace it with? Another fork of OpenSSL that will then never be audited, or updated? There are some serious concerns on the opensource model for a critical function like this, but I don't have a solution that is better. It will take people smarter than me to solve that problem.
-Otanx
Quote from: Otanx on July 14, 2015, 02:09:24 PM
Quote from: deanwebb on July 14, 2015, 11:22:44 AM
Quote from: Reggle on July 14, 2015, 05:22:56 AM
Quote from: deanwebb on July 13, 2015, 08:25:22 AM
Can we all just agree that, at this point, OpenSSL is now broker than hell?
Agreed. But on the other hand, with the attention the software is getting now, I think it's likely to become the most secure encryption software of 2016.
Well, that's what we hoped for 2015 with all the OpenSSL bugs from 2014...
The problem is what are you going to replace it with? Another fork of OpenSSL that will then never be audited, or updated? There are some serious concerns on the opensource model for a critical function like this, but I don't have a solution that is better. It will take people smarter than me to solve that problem.
-Otanx
LibreSSL should be a viable alternative; the developers are from the FreeBSD project and their vulnerability track records look better than OpenSSL. It is actually the default SSL implementation for FreeBSD since last year.
Apparently the development community on this project is stuffed. I read a long thread on it
http://arstechnica.com/civis/viewtopic.php?f=2&t=1240611&start=40
Sent from my SM-G920I using Tapatalk