Page 1 of 1
Unreal IRCd & the 05-Jun-2014 OpenSSL vulns
Posted: Fri Jun 06, 2014 7:52 pm
by r3mbr4ndt
As far as the Windows version goes, can I just update some DLLs? Or will there be a new download package made like was done for heartbleed?
Thanks,
r3m
Re: Unreal IRCd & the 05-Jun-2014 OpenSSL vulns
Posted: Sat Jun 07, 2014 6:21 pm
by Stealth
What version of OpenSSL is your server running? You may find out by doing a /version as an oper on your server.
If you have OpenSSL version 1.0.0 or 1.0.1, you'll need to wait until we can get together a new release or patch for Windows. You can try to replace the OpenSSL DLL files, though as I recall they need to be compiled with specific parameters to be compatible with UnrealIRCD.
If you have any other version of OpenSSL, you're safe.
Re: Unreal IRCd & the 05-Jun-2014 OpenSSL vulns
Posted: Sat Jun 07, 2014 6:52 pm
by r3mbr4ndt
OpenSSL 1.0.1g 7 Apr 2014
Re: Unreal IRCd & the 05-Jun-2014 OpenSSL vulns
Posted: Sun Jun 08, 2014 4:27 pm
by Stealth
We have looked into the advisory, and it appears 6 of the 7 issues reported do not apply to UnrealIRCd. The issue that applies is the vulnerability in MITM which requires both the server AND client to be running a vulnerable version of OpenSSL to work. We will update the Windows compile with new OpenSSL libraries (DLLs) with the next update to UnrealIRCd (perhaps 2-3 weeks).
In the mean time, I recommend updating OpenSSL on the systems you use to IRC with as just having your client up to date will keep you safe.
Thank you for bringing this to our attention.
Re: Unreal IRCd & the 05-Jun-2014 OpenSSL vulns
Posted: Sun Jun 08, 2014 5:19 pm
by r3mbr4ndt
You're welcome. Thanks for the reply.