[ale] Linux TCP Flaw

Wolf Halton wolf.halton at gmail.com
Sat Aug 13 03:18:10 EDT 2016


Talking about the POODLE exploit? I seem to be missing the OP with a link. 
PCI DSS 3.1 came out anouncing SSL was compromised and could no longer pass compliance. Early TLS similarly were compromised. The openssh package was discovered to have a flaw-now patched. PCI DSS 3.2 gave orgs a little more time to fix (reconfigure) there existing hosts to deny SSL and early TLS. 
You cannot believe the howling and gnashing of teeth from business unit owners who were terrified they would lose a penny because their customers might be using Internet Explorer six or eight. Apparently they don't know I don't care that their web servers are collecting information about the browser version, and they could check to see if there were any antique browsers contacting them. 

Wolf Halton
Mobile/Text 678-687-6104

--
Sent from my iPhone. Creative word completion courtesy of Apple, Inc. 

> On Aug 12, 2016, at 11:05, Jim Kinney <jim.kinney at gmail.com> wrote:
> 
> My understanding is this can be used to force an ssh/ssl/tls connection to downgrade encryption to a version that's easily crackable. For high security systems, those formats should already be disabled. But for public facing sites that have to work with clients that may not yet support better methods, the mitigation method is essential. I see no reason to not implement the mitigation on hardened servers as a diaper. It should also be done on all client systems as those usually don't have hardened encryption initiated unless they are a rather new install with special follow-on procedures.
> 
> 
>> On Aug 12, 2016 9:56 AM, "Lightner, Jeffrey" <JLightner at dsservices.com> wrote:
>> https://thehackernews.com/2016/08/linux-tcp-packet-hacking.html
>> 
>>  
>> 
>> Other stories related to this last night.
>> 
>>  
>> 
>> My read last night was Disturbing because it says it can be used to disrupt even ssh/sftp/https connections.
>> 
>>  
>> 
>> Although it says it is in the 3.6 kernel and later it appears some earlier kernels for RedHat (and therefore CentOS and other derivatives) are affected.    RedHat says all RHEL6.5 and above and RHEL 7.   Earlier versions they say are not affected. 
>> 
>>  
>> 
>> There is a mitigation in the story which is the same being suggested by RedHat.
>> 
>>  
>> 
>> Jeffrey C. Lightner
>> 
>> Sr. UNIX/Linux Administrator
>> 
>>  
>> 
>> DS Services of America, Inc.
>> 
>> 2300 Windy Ridge Pkwy
>> 
>> Suite 600 N
>> 
>> Atlanta, GA  30339-8461
>> 
>>  
>> 
>> P: 678-486-3516
>> 
>> C: 678-772-0018
>> 
>> F: 678-460-3603
>> 
>> E: jlightner at dsservices.com
>> 
>>  
>> 
>> CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you
>> 
>> 
>> 
>> 
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20160813/ca0d7bca/attachment.html>


More information about the Ale mailing list