D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Heartbleed is a Free Software win

 

The proprietary/free question is mute and vague.

Earlier in week, since Linux patching fairly painless, was chasing down when CISCO will fix Montgomery ladder implementation in OpenSSL 0.9.8 which is embedded in their proprietary VPN clients. Not yet fixed in OpenSSL 0.9.8 but was in 1.0.1g release.

Today scratching head over CISCO VPN authentication bypass vulnerability (ouch) and 3 other serious bugs in same product, which as far as I can establish is entirely their own code. So reputation of proprietary software should be mud. Their iOS client includes OpenSSL 1.0.1 ;)

Our free software VPN provider updated their gratis product with OpenSSL patches before the major proprietary providers had finished their assessments of what products are vulnerable. This is more to do with team size (one v many) and layers of burocracy than free v proprietary I suspect.

The distros got tipped off early, but patching vanilla Linux boxes was simplest of all. Where unlike Apple who encourage static linking of OpenSSL in apps, one library update and a reboot, and you are done. Reboot optional if you know what you are doing.

I'm thinking this boosts the case for doing everything from vanilla Linux or BSD distros.

In other news patches arrived for critical vulnerabilities in Adobe Flash and Microsoft Office this week.

---
Sent from Boxer | http://getboxer.com
-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq