What about binaries that might have OpenSSL statically linked? Even if you
update the system libraries you could still be vulnerable.
Or the appliance (or out-of-band management card, print server, etc, etc)
that you can't login to in order to be able to tell what version of the
libraries it's using.
Or the system you did update the libraries on, but forgot to restart the
webserver to pickup the change?
The best answer is normally going to be to do both - check the system
itself to make sure it doesn't have an impacted version installed, but also
check the individual services to make sure they are not impacted and/or
have been fixed.
Scott
On Wed, Apr 9, 2014 at 2:19 PM, Eliezer Croitoru
On 04/09/2014 04:21 AM, Dean Pemberton wrote:
We have tree basic messages for website owners:
1. Establish if your site's servers are vulnerable. 2. Patch the vulnerable servers. 3. Revoke/reissue keys and certificates.
Isn't it very simple to just verify that you have or doesn't have the infected library and decide on the certificate revocation and reissuing?
Why to even test the issue if it was tested and validated to affect only on specific version of libs?
So I think the test tools are just for the fun and to run couple more code lines which describes the result of the test that was conducted on lots of versions of openssl already.
(just thinking out loud) Eliezer _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog