Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Sun 17 Nov 2019, 07:54
All times are UTC - 4
 Forum index » Off-Topic Area » Security
BASH exposure expressed as bigger than Heartbleed<SOLUTIONS>
Post new topic   Reply to topic View previous topic :: View next topic
Page 13 of 13 [186 Posts]   Goto page: Previous 1, 2, 3, ..., 11, 12, 13
Author Message
8Geee


Joined: 12 May 2008
Posts: 2083
Location: N.E. USA

PostPosted: Tue 21 Oct 2014, 14:29    Post subject:  

Thats funny, mine fails to connect with "potentially vunerable handshake" supplied by the server. Using TLS1.1 or 1.2 protocol here.

BTW... I disabled/removed ssl V.C. 0.2 and editted about config to a 3 fallback 2 config. TLS1.0 not allowed. I did this because one could select ssl3.0 in the dropdown box in the preferences of the add-on. Very naughty.

_________________
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."
Back to top
View user's profile Send private message 
Griot


Joined: 12 Sep 2014
Posts: 131
Location: Serbia

PostPosted: Tue 21 Oct 2014, 14:39    Post subject:  

Thanx for the link, perdido. There is only one result marked as 'improvable' with Opera 12.16. It doesn't look like THE essential option to me. AFAIK SSL3 is disabled by default in said browser.

Quote:
Session Ticket Support - Improvable
Session tickets are not supported in your client. Without them, services will have a harder time making your client's connections fast. Generally, clients with ephemeral key support get this for free.
Back to top
View user's profile Send private message 
rolf

Joined: 28 Dec 2008
Posts: 34

PostPosted: Thu 30 Oct 2014, 14:04    Post subject:  

perdido wrote:


This site tells you which SSL/TLS you are using.

https://www.howsmyssl.com/

.


It tells me
Quote:
Bad Your client is using TLS 1.0

while SSL Version Control 0.2 is set to TLS 1.2

Question
Back to top
View user's profile Send private message 
perdido


Joined: 09 Dec 2013
Posts: 1396
Location: ¿Altair IV , Just north of Eeyore Junction.?

PostPosted: Thu 30 Oct 2014, 21:59    Post subject:  

rolf wrote:
perdido wrote:


This site tells you which SSL/TLS you are using.

https://www.howsmyssl.com/

.


It tells me
Quote:
Bad Your client is using TLS 1.0

while SSL Version Control 0.2 is set to TLS 1.2

Question


Mentioned on the SSL Version control download page is that FF34, FF33 reset to TLS1.0 on restart.
https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/reviews/

.
Back to top
View user's profile Send private message 
rolf

Joined: 28 Dec 2008
Posts: 34

PostPosted: Thu 30 Oct 2014, 22:21    Post subject:  

perdido wrote:

Mentioned on the SSL Version control download page is that FF34, FF33 reset to TLS1.0 on restart.
https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/reviews/

.


I can set the Version Control preference in the dropdown to anything, restart Seamonkey, and the page at https://www.howsmyssl.com/ always tells me I'm running, TLS 1.0

I had security.tls.version.min;3 set in about:config. I can change that to anything from security.tls.version.min;1 to security.tls.version.min;4 and it makes no difference when Seamonkey is restarted.

Seamonkey 2.18 Linux x86_64

Thanks.
Back to top
View user's profile Send private message 
Puppus Dogfellow


Joined: 07 Jan 2013
Posts: 1631
Location: nyc

PostPosted: Thu 21 May 2015, 22:42    Post subject:  

Geoffrey wrote:
Edit: updated to bash-4.3.30-1
mavrothal wrote:
Do we know anything more about rg66's version? ie source and configure options?


The latest patch 28 seems to have fixed it, I'm pretty sure that rg66 used the same sources as I did and compiled with
Code:
 ./configure --prefix=/ --with-curses


I compiled using
Code:
./configure --with-curses --bindir=/bin --datarootdir=/usr/share


Code:
bash --version
GNU bash, version 4.3.28(1)-release (i686-pc-linux-gnu)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
#
# curl --insecure https://shellshocker.net/shellshock_test.sh | bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2009  100  2009    0     0   1398      0  0:00:01  0:00:01 --:--:--  1520
CVE-2014-6271 (original shellshock): not vulnerable
bash: shellshocker: command not found
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable


bash-4.3.30-1.pet

bash_DOC-4.3.30-1.pet

bash_NLS-4.3.30-1.pet


works in precise 5.5; no apparent frisbee problems.

thanks!
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 13 of 13 [186 Posts]   Goto page: Previous 1, 2, 3, ..., 11, 12, 13
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0535s ][ Queries: 12 (0.0179s) ][ GZIP on ]