[arch-general] Heartbleed-bug in OpenSSL 1.0.1 up to 1.0.1f

Jerome Leclanche adys.wh at gmail.com
Tue Apr 8 12:54:14 EDT 2014


Slightly OT but for those interested, I added the heartbleed utility
(used by the heartbleed checker site) to the AUR:
https://aur.archlinux.org/packages/heartbleed-git/

% heartbleed mediacru.sh:443
2014/04/08 17:53:57 mediacru.sh:443 - SAFE
J. Leclanche


On Tue, Apr 8, 2014 at 5:35 PM, Anatol Pomozov <anatol.pomozov at gmail.com> wrote:
> Hi
>
> On Tue, Apr 8, 2014 at 9:29 AM, Pierre Schmitz <pierre at archlinux.de> wrote:
>> Am 08.04.2014 17:29, schrieb Neal Oakey:
>>> Hi,
>>>
>>> there is an Bug(1) in OpenSSL 1.0.1 and as far as I'm informed this has
>>> only been patched in 1.0.1g.
>>> Many other Distributions have build there own patch, what is with us?
>>> Currently we have "1.0.1.f-2" which is effected as far as I can know.
>>>
>>> Greetings
>>> Neal
>>>
>>> 1) (sry, German)
>>> http://www.golem.de/news/sicherheitsluecke-keys-auslesen-mit-openssl-1404-105685.html
>>
>> I actually did push an updated package within 3 hours after the public
>> announcement. I think that is pretty reasonable especially since we are
>> not among the fortunate distros and companies that were notified
>> beforehand.
>
> Is there any "secret security list" for distros where such issues are
> discussed/notified before a vulnerable gets public attention? If there
> is one then Arch should be added there as well.


More information about the arch-general mailing list