We have received several inquiries regarding our site’s susceptibility to
the recently discovered OpenSSL vulnerability.
For the vast majority NetIQ, Novell, and SUSE customer facing sites, we
use an ADC to terminate SSL connections. This appliance uses a hardware
based cryptography module that does not use OpenSSL. In addition, the
vast majority of our internal servers run SUSE Linux Enterprise, which
does not use any affected versions of OpenSSL. To be safe, we have tested
a number of our sites since the beginning of the week, using the
heartbleed script and through the excellent SSL Labs service (https:// www.ssllabs.com). These tests have not revealed any problems with our SSL
implementation.
Regards,
The Attachmate Group IS&T
— snip —
(Also posted at the top of the forums page on the web side)
On Fri 11 Apr 2014 01:43:16 PM CDT, Carlos E. R. wrote:
On 2014-04-11 06:36, Jim Henderson wrote:
> From Attachmate’s IS&T:
>
> — snip —
Thanks.
Is there a link to the full post, not a snip? :-?
> (Also posted at the top of the forums page on the web side)
Sorry, no, I don’t see any such thing. Has it been removed? Or do I need
to login to see it?
Hi
You need to login.
–
Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
openSUSE 13.1 (Bottle) (x86_64) GNOME 3.10.1 Kernel 3.11.10-7-desktop
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!
On Fri, 11 Apr 2014 13:43:16 +0000, Carlos E. R. wrote:
> On 2014-04-11 06:36, Jim Henderson wrote:
>> From Attachmate’s IS&T:
>>
>> — snip —
>
> Thanks.
>
> Is there a link to the full post, not a snip? :-?
That is the full text.
>> (Also posted at the top of the forums page on the web side)
>
> Sorry, no, I don’t see any such thing. Has it been removed? Or do I need
> to login to see it?
You need to browse into one of the forums - it’s not on the front page.
I don’t think a login is needed.
On Fri 11 Apr 2014 04:48:05 PM CDT, Carlos E. R. wrote:
On 2014-04-11 16:26, malcolmlewis wrote:
> Hi
> You need to login.
Oh.
But you see, why login on a site you suspect is affected by the security
bug, to learn out if it is affected or not?
That’s contradictory
Hi
Hmm, well you have a conundrum then…
–
Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
openSUSE 13.1 (Bottle) (x86_64) GNOME 3.10.1 Kernel 3.11.10-7-desktop
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!
> On Fri 11 Apr 2014 04:48:05 PM CDT, Carlos E. R. wrote:
>
> On 2014-04-11 16:26, malcolmlewis wrote:
>
>> Hi
>> You need to login.
>
> Oh.
>
> But you see, why login on a site you suspect is affected by the security
> bug, to learn out if it is affected or not?
>
> That’s contradictory
>
>
>
> Hi
> Hmm, well you have a conundrum then…
Logging onto the site is not the safe way to check it. Use https://www.ssllabs.com/ssltest/index.html, or one of the other similar sites,
to test the site. Whether it passes or fails, change the password, but do
nothing else if it fails. Once the site is fixed, then do another password change.
On 2014-04-11 18:27, Jim Henderson wrote:
> On Fri, 11 Apr 2014 13:43:16 +0000, Carlos E. R. wrote:
>> Sorry, no, I don’t see any such thing. Has it been removed? Or do I need
>> to login to see it?
>
> You need to browse into one of the forums - it’s not on the front page.
I tried.
> I don’t think a login is needed.
Yes, it is… :-o
–
Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)
On Fri, 11 Apr 2014 16:48:05 +0000, Carlos E. R. wrote:
> On 2014-04-11 16:26, malcolmlewis wrote:
>
>> Hi You need to login.
>
> Oh.
>
> But you see, why login on a site you suspect is affected by the security
> bug, to learn out if it is affected or not?
>
> That’s contradictory
I’ve passed this feedback along and asked for it to be displayed pre-login
instead.
On Fri, 11 Apr 2014 17:53:16 +0000, Carlos E. R. wrote:
> On 2014-04-11 18:27, Jim Henderson wrote:
>> On Fri, 11 Apr 2014 13:43:16 +0000, Carlos E. R. wrote:
>
>
>>> Sorry, no, I don’t see any such thing. Has it been removed? Or do I
>>> need to login to see it?
>>
>> You need to browse into one of the forums - it’s not on the front page.
>
> I tried.
>
>> I don’t think a login is needed.
>
> Yes, it is… :-o
IMO, Attachmate/SUSE/Novell/openSUSE should have a statement somewhere
about how this affects or not any of their sites, besides the
information on how to patch machines using anyone of the products.
A possible place could be a link accessed on the very login page, which
is used by any one attempting to login to any of the services, not just
the forums. A link or a paragraph in there.
Just a thought
–
Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)
On Fri, 11 Apr 2014 18:23:06 +0000, Carlos E. R. wrote:
> On 2014-04-11 20:07, Jim Henderson wrote:
>
>> I’ve passed this feedback along and asked for it to be displayed
>> pre-login instead.
>
> Thanks!
>
>
> You might consider this as well: on sites like
> <mashable.com/2014/04/09/heartbleed-bug-websites-affected/> they list
> sites. For Novell, the link they give is
> <support.novell.com/security/cve/CVE-2014-0160.html>, which is not a
> statement, but about the updated packages.
>
> IMO, Attachmate/SUSE/Novell/openSUSE should have a statement somewhere
> about how this affects or not any of their sites, besides the
> information on how to patch machines using anyone of the products.
>
>
> A possible place could be a link accessed on the very login page, which
> is used by any one attempting to login to any of the services, not just
> the forums. A link or a paragraph in there.
>
> Just a thought
Not a bad thought, but I know that some think that trying to keep all the
external sites with incorrect information on them updated is an
insurmountable task. They should probably have a public statement
somewhere.
On 2014-04-12 01:14, Jim Henderson wrote:
> On Fri, 11 Apr 2014 18:23:06 +0000, Carlos E. R. wrote:
>
>> You might consider this as well: on sites like
>> <mashable.com/2014/04/09/heartbleed-bug-websites-affected/> they list
>> sites. For Novell, the link they give is
>> <support.novell.com/security/cve/CVE-2014-0160.html>, which is not a
>> statement, but about the updated packages.
>
> Actually, I’m not finding Novell on the list of sites on that page…
You are right. It is no longer there.
I’m sure it was there before because I copy-pasted some entries into a
local file for my reference…
:-o :-?
–
Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)
On Sat, 12 Apr 2014 01:23:06 +0000, Carlos E. R. wrote:
> On 2014-04-12 01:14, Jim Henderson wrote:
>> On Fri, 11 Apr 2014 18:23:06 +0000, Carlos E. R. wrote:
>>
>>> You might consider this as well: on sites like
>>> <mashable.com/2014/04/09/heartbleed-bug-websites-affected/> they list
>>> sites. For Novell, the link they give is
>>> <support.novell.com/security/cve/CVE-2014-0160.html>, which is not a
>>> statement, but about the updated packages.
>>
>> Actually, I’m not finding Novell on the list of sites on that page…
>
> You are right. It is no longer there.
>
> I’m sure it was there before because I copy-pasted some entries into a
> local file for my reference…
>
> :-o :-?
It’s entirely possible someone contacted them and pointed out that they
aren’t vulnerable, or that someone at mashable noticed the notices on the
forums.
