Re: [Edbrowse-dev] freak attack

[Adam Thompson <arthompson1990@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 1531 bytes --]

On Fri, Mar 06, 2015 at 01:32:58PM -0800, Chris Brannon wrote:
> Adam Thompson <arthompson1990@gmail.com> writes:
> 
> > I'm not sure about the test site, but from the looks of things I think if you
> > upgrade your openssl library you'll be fine.
> 
> Ok, here's the message I sent to Karl yesterday:
> 
> <quote>
> Well, the freakattack.com site now has a test that doesn't rely on
> JavaScript.  Try fetching the page
> https://cve.freakattack.com/
> If it loads without errors, then your client is vulnerable, and the
> response is a plain text message saying "vulnerable".
> On my main machine, there is an error when I try to connect.
> It looks like this:
> 
> SSL connect error in libcurl:
> error:1408D0F4:SSL routines:ssl3_get_key_exchange:unexpected message
> 
> However, the statically-linked edbrowse binaries are vulnerable.
> It's been a few months since I've rebuilt them, so I need to refresh all
> the packages on the virtual build machines and rebuild them.
> For now, I've just pulled them from the site.
> </quote>
> 
> I rebuilt and re-uploaded new static binaries after sending that,
> so anyone who is using them needs to get the new ones ASAP.
> 
> As for the rest of us, all we need to do is make sure our libraries are
> all up to date and free of issues.

Thanks for being so on top of this issue.
Given the nature of Edbrowse and the current security climate,
I wonder if we need an automated system to rebuild these if we don't have one 
already?

Cheers,
Adam.

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 473 bytes --]