14 Apr
2014
14 Apr
'14
6:39 p.m.
If you haven't heard about the openssl exploit yet, you haven't been reading the
news
I'm just wondering if it applies to openvms (or alpha) or other classic systems?
And if it does, is there going to be a bugfix for this?
Dan.
14 Apr
14 Apr
7:36 p.m.
On 14/04/14 9:39 PM, Dan Gahlinger wrote:
If you haven't heard about the openssl exploit
yet, you haven't been reading the news
I'm just wondering if it applies to openvms (or alpha) or other classic systems?
And if it does, is there going to be a bugfix for this?
Dan.
Short answer: It strictly applies to particular recent versions of
OpenSSL. If they aren't running OpenSSL of that version, exposed through
an open TLS port, then no.
--Toby
15 Apr
15 Apr
6:11 a.m.
On 15 April 2014 02:39, Dan Gahlinger <dgahling at hotmail.com> wrote:
If you haven't heard about the openssl exploit
yet, you haven't been reading the news
I'm just wondering if it applies to openvms (or alpha) or other classic systems?
And if it does, is there going to be a bugfix for this?
Only if you're running the PDP-11 edition of OS/2.
--
Liam Proven * Profile: http://lproven.livejournal.com/profile
Email: lproven at cix.co.uk * GMail/G+/Twitter/Flickr/Facebook: lproven
MSN: lproven at hotmail.com * Skype/AIM/Yahoo/LinkedIn: liamproven
Tel: +44 20-8685-0498 * Cell: +44 7939-087884
8:56 a.m.
Or your name is Richard Sexton,
Date: Tue, 15 Apr 2014 14:11:28 +0100
Subject: Re: heartbleed bug/fix for openvms ?
From: lproven at gmail.com
To: cctalk at classiccmp.org
On 15 April 2014 02:39, Dan Gahlinger <dgahling at hotmail.com> wrote:
If you haven't heard about the openssl
exploit yet, you haven't been reading the news
I'm just wondering if it applies to openvms (or alpha) or other classic systems?
And if it does, is there going to be a bugfix for this?
Only if you're running the PDP-11 edition of OS/2.
--
Liam Proven * Profile: http://lproven.livejournal.com/profile
Email: lproven at cix.co.uk * GMail/G+/Twitter/Flickr/Facebook: lproven
MSN: lproven at hotmail.com * Skype/AIM/Yahoo/LinkedIn: liamproven
Tel: +44 20-8685-0498 * Cell: +44 7939-087884 
7:20 a.m.
On Mon, 14 Apr 2014, Dan Gahlinger wrote:
If you haven't heard about the openssl exploit
yet, you haven't been reading the news
I'm just wondering if it applies to openvms (or alpha) or other classic systems?
And if it does, is there going to be a bugfix for this?
Dan, it's my understanding that the bug that caused this exploit path was
introduced in 2011.
g.
--
Proud owner of F-15C 80-0007
http://www.f15sim.com - The only one of its kind.
http://www.diy-cockpits.org/coll - Go Collimated or Go Home.
Some people collect things for a hobby. Geeks collect hobbies.
ScarletDME - The red hot Data Management Environment
A Multi-Value database for the masses, not the classes.
http://scarlet.deltasoft.com - Get it _today_!
7:46 a.m.
On Apr 15, 2014, at 10:20 AM, geneb <geneb at deltasoft.com> wrote:
On Mon, 14 Apr 2014, Dan Gahlinger wrote:
The documentation about the issue makes it clear that it exists in OpenSSL 1.0.1x for x
< ?g? and 1.0.2y for some y I don?t remember. It does not exist in OpenSSL 1.0.0 or
earlier. So you can look at the version in those platforms and find the answer.
If you have a bad version, you can upgrade to a good one, or turn off the bug by
recompiling with a preprocessor definition that turns off the offending code.
paul
If you haven't heard about the openssl
exploit yet, you haven't been reading the news
I'm just wondering if it applies to openvms (or alpha) or other classic systems?
And if it does, is there going to be a bugfix for this?
Dan, it's my understanding that the bug that caused this exploit path was
introduced in 2011.
8:03 a.m.
On 15 April 2014 15:46, Paul Koning <paulkoning at comcast.net> wrote:
The documentation about the issue makes it clear that
it exists in OpenSSL 1.0.1x for x < 'g' and 1.0.2y for some y I don't
remember. It does not exist in OpenSSL 1.0.0 or earlier. So you can look at the version
in those platforms and find the answer.
If you have a bad version, you can upgrade to a good one, or turn off the bug by
recompiling with a preprocessor definition that turns off the offending code.
Yes, but OpenSSL doesn't run on VMS, does it? As VMS predates ssh by
about 20 years or so (SSH 1.0 1995) and VMS doesn't have many FOSS or
GPL bits AFAIK.
--
Liam Proven * Profile: http://lproven.livejournal.com/profile
Email: lproven at cix.co.uk * GMail/G+/Twitter/Flickr/Facebook: lproven
MSN: lproven at hotmail.com * Skype/AIM/Yahoo/LinkedIn: liamproven
Tel: +44 20-8685-0498 * Cell: +44 7939-087884
8:18 a.m.
On Tue, 15 Apr 2014, Liam Proven wrote:
On 15 April 2014 15:46, Paul Koning <paulkoning at
comcast.net> wrote:
Process Software offers TCPware for OpenVMS, which includes SSH. Their
web page states:
"Process Software's products including MultiNet, TCPware, PMDF,
PreciseMail, VAM, and SSH-UCX are NOT vulnerable to this attack. These
products do not use the versions of OpenSSL open to attack. No patches or
configuration changes are required to secure any version of these
products."
http://www.process.com/psc/service-support/process-software-products-not-vu…
Mike Loewen mloewen at cpumagic.scol.pa.us
Old Technology http://sturgeon.css.psu.edu/~mloewen/Oldtech/
The documentation about the issue makes it clear
that it exists in OpenSSL 1.0.1x for x < 'g' and 1.0.2y for some y I don't
remember. It does not exist in OpenSSL 1.0.0 or earlier. So you can look at the version
in those platforms and find the answer.
If you have a bad version, you can upgrade to a good one, or turn off the bug by
recompiling with a preprocessor definition that turns off the offending code.
Yes, but OpenSSL doesn't run on VMS, does it? As VMS predates ssh by
about 20 years or so (SSH 1.0 1995) and VMS doesn't have many FOSS or
GPL bits AFAIK.
8:58 a.m.
You mean like these: http://www.polarhome.com/openssl/maybe you should read before opening
your fat mouth.
Dan.
Date: Tue, 15 Apr 2014 16:03:25 +0100
Subject: Re: heartbleed bug/fix for openvms ?
From: lproven at gmail.com
To: cctalk at classiccmp.org
On 15 April 2014 15:46, Paul Koning <paulkoning at comcast.net> wrote:
The documentation about the issue makes it clear
that it exists in OpenSSL 1.0.1x for x < 'g' and 1.0.2y for some y I don't
remember. It does not exist in OpenSSL 1.0.0 or earlier. So you can look at the version
in those platforms and find the answer.
If you have a bad version, you can upgrade to a good one, or turn off the bug by
recompiling with a preprocessor definition that turns off the offending code.
Yes, but OpenSSL doesn't run on VMS, does it? As VMS predates ssh by
about 20 years or so (SSH 1.0 1995) and VMS doesn't have many FOSS or
GPL bits AFAIK.
--
Liam Proven * Profile: http://lproven.livejournal.com/profile
Email: lproven at cix.co.uk * GMail/G+/Twitter/Flickr/Facebook: lproven
MSN: lproven at hotmail.com * Skype/AIM/Yahoo/LinkedIn: liamproven
Tel: +44 20-8685-0498 * Cell: +44 7939-087884 
9:01 a.m.
New subject: R: heartbleed bug/fix for openvms ?
I think it runs, as part of the porting project
-----Messaggio originale-----
Da: cctalk-bounces at classiccmp.org [mailto:cctalk-bounces at classiccmp.org] Per
conto di Liam Proven
Inviato: marted? 15 aprile 2014 17:03
A: General Discussion: On-Topic and Off-Topic Posts
Oggetto: Re: heartbleed bug/fix for openvms ?
On 15 April 2014 15:46, Paul Koning <paulkoning at comcast.net> wrote:
The documentation about the issue makes it clear that
it exists in OpenSSL
1.0.1x for x < 'g' and 1.0.2y for some y I don't
remember. It does not
exist in OpenSSL 1.0.0 or earlier. So you can look at the version in those
platforms and find the answer.
If you have a bad version, you can upgrade to a good one, or turn off the
bug by
recompiling with a preprocessor definition that turns off the
offending code.
Yes, but OpenSSL doesn't run on VMS, does it? As VMS predates ssh by about
20 years or so (SSH 1.0 1995) and VMS doesn't have many FOSS or GPL bits
AFAIK.
--
Liam Proven * Profile: http://lproven.livejournal.com/profile
Email: lproven at cix.co.uk * GMail/G+/Twitter/Flickr/Facebook: lproven
MSN: lproven at hotmail.com * Skype/AIM/Yahoo/LinkedIn: liamproven
Tel: +44 20-8685-0498 * Cell: +44 7939-087884
8:28 a.m.
If you haven't heard about the openssl exploit
yet, you haven't been reading$
I'm just wondering if it applies to openvms (or
alpha) or other classic syst$
Only if they are using a vulnerable version of OpenSSL (unlikely) - or
have somehow managed to recreate the bug independently (possibly even
more unlikely). This is not a bug in the protocol (SSL); it is a bug
one popular implementation of the protocol (OpenSSL).
And if it does, is there going to be a bugfix for
this?
In the first case above (using a vulnerable version of OpenSSL), the
bugfix already exists. In the second case above, it's like any other
piece of legacy code: fixing it means finding someone who has the
source, or is willing to work out a binary patch, etc....
/~\ The ASCII Mouse
\ / Ribbon Campaign
X Against HTML mouse at rodents-montreal.org
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
3:19 p.m.
On 15 Apr 2014, at 11:39 am, Dan Gahlinger <dgahling at hotmail.com> wrote:
If you haven't heard about the openssl exploit
yet, you haven't been reading the news
I'm just wondering if it applies to openvms (or alpha) or other classic systems?
And if it does, is there going to be a bugfix for this?
OpenVMS is not vulnerable if you are using the HP provided OpenSSL libraries. If you go to
http://h71000.www7.hp.com/openvms/products/ssl/ssl.html you will see that the OpenVMS
OpenSSL is based on version 0.9.8y and is not vulnerable. If you have products that use
OpenSSL running on OpenVMS you need to check that they haven?t baked in a different
version of OpenSSL which might be vulnerable. I am aware of at least one such product?
Huw Davies | e-mail: Huw.Davies at kerberos.davies.net.au
Melbourne | "If soccer was meant to be played in the
Australia | air, the sky would be painted green"
3909
days inactive
3909
days old
12 comments
10 participants
participants (10)
-
cisin@xenosoft.com -
dgahling@hotmail.com -
geneb@deltasoft.com -
huw.davies@mail.vsm.com.au -
lproven@gmail.com -
mazzinia@tin.it -
mloewen@cpumagic.scol.pa.us -
mouse@Rodents-Montreal.ORG -
paulkoning@comcast.net -
toby@telegraphics.com.au