On Fri, Mar 06, 2015 at 01:32:58PM -0800, Chris Brannon wrote: > Adam Thompson writes: > > > I'm not sure about the test site, but from the looks of things I think if you > > upgrade your openssl library you'll be fine. > > Ok, here's the message I sent to Karl yesterday: > > > Well, the freakattack.com site now has a test that doesn't rely on > JavaScript. Try fetching the page > https://cve.freakattack.com/ > If it loads without errors, then your client is vulnerable, and the > response is a plain text message saying "vulnerable". > On my main machine, there is an error when I try to connect. > It looks like this: > > SSL connect error in libcurl: > error:1408D0F4:SSL routines:ssl3_get_key_exchange:unexpected message > > However, the statically-linked edbrowse binaries are vulnerable. > It's been a few months since I've rebuilt them, so I need to refresh all > the packages on the virtual build machines and rebuild them. > For now, I've just pulled them from the site. > > > I rebuilt and re-uploaded new static binaries after sending that, > so anyone who is using them needs to get the new ones ASAP. > > As for the rest of us, all we need to do is make sure our libraries are > all up to date and free of issues. Thanks for being so on top of this issue. Given the nature of Edbrowse and the current security climate, I wonder if we need an automated system to rebuild these if we don't have one already? Cheers, Adam.