Posted: Wed Apr 16, 2014 3:40 Post subject: Re: Why isn't heartbleed a "drop everything and fix it&
kev_rm wrote:
Just curious what the mindset is. Most commercial patches were issued on day one. This is day eight.
Yes, I know which items it affects, but I still have the same question.
Yea...i dunno, im just frustrated with massive disinfo. This version is vulnerable, oh wait, its not vulnerable...ok this SSL version isnt affected, oh wait, it is....I THINK its affected....ok its not....wait, im not sure. There is a fix, yet no one can link to it. I mean...this isnt ingratitude, its just frustration on trying to find out what the real deal is.
Many (most)commercial vendors like McAfee can't even say for sure which products are affected, and how.
From another thread (http://www.dd-wrt.com/phpBB2/viewtopic.php?t=260167):
BrainSlayer wrote:
https nor ssh is affected in all builds. https uses matrixssl and dropbear uses tomcrypt.
openssl is used for freeradius, openvpn, tor, asterisk
so if you have a small router with 4 mb flash, you arent affected since openssl is not even included. if you use a big router with openvpn, you might be affected if tls is used. next beta builds will fix that issue.
Pretty amazing service for a free product, and way more actionable than the commercial products discussed in the link. May I suggest we all donate whatever we can afford to dd-wrt and openssl? (OpenSSL needs a complete rewrite IMO.)
Unless you publicly expose a server with unpatched OpenSSL with TLS heartbeat enabled, there is nothing to fear. So, if you did not run a server (like OpenVPN or transmission), your router was not vulnerable. As others said, only OpenSSL 1.0.1 till and including 1.0.1f were vulnerable. Not the versions before or after these versions. _________________ 2 times APU2 Opnsense 21.1 with Sensei
2 times RT-AC56U running DD-WRT 45493 (one as Gateway, the other as AP, both bridged with LAN cable)
3 times Asus RT-N16 shelved
E4200 V1 running freshtomato 2020.8 (bridged with LAN cable)
3 times Linksys WRT610N V2 converted to E3000 and 1 original E3000 running freshtomato 2020.8 (bridged with LAN cable)