I have to agree. I'm a bit frustrated that I cannot seem to find this information easily.
Even an announcement that was a placeholder for future information would be preferable to nothing.
-----Original Message----- From: Douglas Siggins [mailto:siggins@gmail.com] Sent: Wednesday, April 09, 2014 10:48 AM To: Michael Garrison Cc: Elliott, Kevin C (DOR); toasters@teaparty.net Subject: Re: heartbleed -- Netapp SSL
I hope that Netapp gets on top of this. I can only bet support phone calls are costing them more than not releasing public information. It's a shame I had to post to toasters knowing that I'd get useful information more rapidly.
There should at the least be links to some information via the now site.
end rant :)
On Wed, Apr 9, 2014 at 2:11 PM, Michael Garrison mcgarr@umich.edu wrote:
You should be able to reference it in a case if you open it, but the information I passed along is probably internal net app information. If I find out more I'll pass it along.
-- Mike Garrison
On Wed, Apr 9, 2014 at 1:28 PM, Elliott, Kevin C (DOR) kevin.elliott@alaska.gov wrote:
815987 - A public report should be prepared to indicate that this is not applicable to existing releases as no version of ONTAP ships with OpenSSL 1.0.1x.
Any word on when this report should be released? Is 815987 a NetApp Bug ID that I can reference (it did not return any results).
Kevin Elliott
Microcomputer/Network Specialist
Alaska Department of Revenue, ASD-IT
(907) 465-2314
From: toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] On Behalf Of Fletcher Cocquyt Sent: Wednesday, April 09, 2014 12:19 AM To: Ryan Kather Cc: toasters@teaparty.net Subject: Re: heartbleed -- Netapp SSL
Its been a busy day "2/3 of the internet vulnerable"
I've collected external web and internal cmd line tool links to check if your SSL is vulnerable.
http://www.vmadmin.info/2014/04/esxi-55-vulnerable-to-openssl.html
ontap 8.1.2 does not appear to be vulnerable
On Apr 8, 2014, at 4:54 PM, Ryan Kather rkather@missionpenguin.com wrote:
You don't need to take the vendors word for it. You can test yourself with;
https://github.com/FiloSottile/Heartbleed
On Tue, Apr 8, 2014 at 5:17 PM, Michael Garrison mcgarr@umich.edu wrote:
We asked support and some of our very helpful NetApp folks earlier today and received the following bug IDs:
815987 - A public report should be prepared to indicate that this is not applicable to existing releases as no version of ONTAP ships with OpenSSL 1.0.1x.
795741 CVE-BUNDLE-OPENSSL: Upgrade OCUM 6.x OpenSSL to 1.0.1g
795814 CVE-BUNDLE-OPENSSL: Upgrade OPM (post-1.0) OpenSSL to 1.0.1g
795466 is for OCUM 5.2XX
So ONTAP isn't vulnerable, but other things like OCUM are.
Hope that helps, Mike Garrison
On Tue, Apr 8, 2014 at 5:08 PM, Douglas Siggins siggins@gmail.com wrote:
Greetings, Looking for a quick way to determine what versions of SSL are in use in DOT (7-mode). I could not find anything specific.
I assume the version of SSL is probably not 1.0.1 - 1.0.1f on the Netapps. Anyone have any ideas where to look? _______________________________________________ Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters