[openssl-users] OpenSSL and detecting whether bugs have been patched

Jason Woods devel at jasonwoods.me.uk
Thu Mar 5 13:28:54 UTC 2015


> On 5 Mar 2015, at 12:23, Salz, Rich <rsalz at akamai.com> wrote:
>> if (!openssl_is_patched("CVE-2014-0160”)) {
>>   complain_vociferously();
>> }
> 
> That's an interesting idea.  Of course the CVE list would grow, so perhaps arrays of ints are better
> 	Int OPENSSL_cve_fixed(int year, int vuln);;
> 
> ?

This feels onerous... I think this would only affect vendors who release their own patched versions. OpenSSL team should probably not have to deal with their problems; using latest version of upstream OpenSSL you'd be fine to verify the version number.
Maybe it's just a case of the vendor (RedHat etc.) should come up with a solution - a /usr/share/openssl/heartbleed_fixed file added to the package, or a /usr/share/openssl/patchlist file containing list of patches applied. Freeradius can then check this based on the distribution's way of dealing with it.

Jason


More information about the openssl-users mailing list