Why isn't heartbleed a "drop everything and fix it"

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
kev_rm
DD-WRT Novice


Joined: 13 Jul 2013
Posts: 21

PostPosted: Tue Apr 15, 2014 13:38    Post subject: Why isn't heartbleed a "drop everything and fix it" Reply with quote
Just curious what the mindset is. Most commercial patches were issued on day one. This is day eight.

Yes, I know which items it affects, but I still have the same question.
Sponsor
notorious.dds
DD-WRT User


Joined: 24 May 2012
Posts: 376
Location: Michigan

PostPosted: Tue Apr 15, 2014 20:41    Post subject: Reply with quote
kev_rm
DD-WRT Novice


Joined: 13 Jul 2013
Posts: 21

PostPosted: Wed Apr 16, 2014 1:43    Post subject: Reply with quote
Any sane human being would prefer a currently-being-exploited encryption fix over an overclocking guide.

notorious.dds wrote:
Wetzel
DD-WRT Novice


Joined: 12 Apr 2014
Posts: 49

PostPosted: Wed Apr 16, 2014 3:40    Post subject: Re: Why isn't heartbleed a "drop everything and fix it& Reply with quote
kev_rm wrote:
Just curious what the mindset is. Most commercial patches were issued on day one. This is day eight.

Yes, I know which items it affects, but I still have the same question.


Yea...i dunno, im just frustrated with massive disinfo. This version is vulnerable, oh wait, its not vulnerable...ok this SSL version isnt affected, oh wait, it is....I THINK its affected....ok its not....wait, im not sure. There is a fix, yet no one can link to it. I mean...this isnt ingratitude, its just frustration on trying to find out what the real deal is.
Newbrain
DD-WRT User


Joined: 28 Dec 2013
Posts: 171

PostPosted: Wed Apr 16, 2014 10:06    Post subject: Most products? Reply with quote
http://www.cso.com.au/article/543019/heartbleed_bug_irritating_mcafee_symantec_kaspersky_lab/

Many (most)commercial vendors like McAfee can't even say for sure which products are affected, and how.

From another thread (http://www.dd-wrt.com/phpBB2/viewtopic.php?t=260167):
BrainSlayer wrote:
https nor ssh is affected in all builds. https uses matrixssl and dropbear uses tomcrypt.

openssl is used for freeradius, openvpn, tor, asterisk

so if you have a small router with 4 mb flash, you arent affected since openssl is not even included. if you use a big router with openvpn, you might be affected if tls is used. next beta builds will fix that issue.


Pretty amazing service for a free product, and way more actionable than the commercial products discussed in the link. May I suggest we all donate whatever we can afford to dd-wrt and openssl? (OpenSSL needs a complete rewrite IMO.)

Edit: Donated (albeit only a small amount | 10€)
slobodan
DD-WRT Guru


Joined: 03 Nov 2011
Posts: 1555
Location: Zwolle

PostPosted: Sun Apr 20, 2014 23:38    Post subject: Reply with quote
Unless you publicly expose a server with unpatched OpenSSL with TLS heartbeat enabled, there is nothing to fear. So, if you did not run a server (like OpenVPN or transmission), your router was not vulnerable. As others said, only OpenSSL 1.0.1 till and including 1.0.1f were vulnerable. Not the versions before or after these versions.
_________________
2 times APU2 Opnsense 21.1 with Sensei

2 times RT-AC56U running DD-WRT 45493 (one as Gateway, the other as AP, both bridged with LAN cable)

3 times Asus RT-N16 shelved

E4200 V1 running freshtomato 2020.8 (bridged with LAN cable)

3 times Linksys WRT610N V2 converted to E3000 and 1 original E3000 running freshtomato 2020.8 (bridged with LAN cable)


Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum