The bug effects 1.0.1, so any appliance that pre-dates (Feb 2012) this version is unlikely to be a problem. That may reduce the number of devices/vendors you need to check.

For example Ubuntu 10.04 LTS with openssl 0.9.8 should not affected by this bug.

On Thu, Apr 10, 2014 at 9:33 AM, Scott Howard <> wrote:
What about binaries that might have OpenSSL statically linked?  Even if you update the system libraries you could still be vulnerable.

Or the appliance (or out-of-band management card, print server, etc, etc) that you can't login to in order to be able to tell what version of the libraries it's using.

Or the system you did update the libraries on, but forgot to restart the webserver to pickup the change?

The best answer is normally going to be to do both - check the system itself to make sure it doesn't have an impacted version installed, but also check the individual services to make sure they are not impacted and/or have been fixed.


On Wed, Apr 9, 2014 at 2:19 PM, Eliezer Croitoru <> wrote:
On 04/09/2014 04:21 AM, Dean Pemberton wrote:
We have tree basic messages for website owners:

1. Establish if your site's servers are vulnerable.
2. Patch the vulnerable servers.
3. Revoke/reissue keys and certificates.

Isn't it very simple to just verify that you have or doesn't have the infected library and decide on the certificate revocation and reissuing?

Why to even test the issue if it was tested and validated to affect only on specific version of libs?

So I think the test tools are just for the fun and to run couple more code lines which describes the result of the test that was conducted on lots of versions of openssl already.

(just thinking out loud)
NZNOG mailing list

NZNOG mailing list