[Micronet] register Office iPad apps?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[Micronet] register Office iPad apps?

Greg Merritt
Does / will our UCB Microsoft licensing allow some sort of Office 365 authentication to unlock editing for the new iPad versions of PowerPoint, Word, and Excel?

Thanks!

-Greg

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

[Micronet] Not all versions of OpenSSL are affected

Bruce Satow
OpenSSL Security Advisory [07 Apr 2014]
========================================

TLS heartbeat read overrun (CVE-2014-0160)
==========================================

A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley [hidden email] and Bodo Moeller [hidden email] for
preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.



--

Bruce Satow
Systems Administrator
  University of California at Berkeley  
Space Sciences Laboratory
7 Gauss Way
Berkeley, California 94720-7450
[hidden email]
Phone: (510) 643-2348
Cell: (510) 847-1914
 
Si hoc legere scis nimium eruditionis habes

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Not all versions of OpenSSL are affected

Michael Sinatra-3
On 04/10/2014 13:08, Bruce Satow wrote:

> OpenSSL Security Advisory [07 Apr 2014]
> ========================================
>
> TLS heartbeat read overrun (CVE-2014-0160)
> ==========================================
>
> A missing bounds check in the handling of the TLS heartbeat extension can be
> used to reveal up to 64k of memory to a connected client or server.
>
> Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
> 1.0.1f and 1.0.2-beta1.

Yes, but...

Until Monday night, it was a best practice to run to TLSv1.2.  Earlier
versions of SSL/TLS are subject to various vulnerabilities, including
BEAST.  In many distros, modern web servers (e.g. apache, nginx) would
automatically pull in OpenSSL v1.0.1 in order to support TLSv1.2.  And
it is the heartbeat code in OpenSSL's implementation of TLSv1.2 that is
precisely the problem.  For other stuff where you just needed the crypto
(and you didn't need certain forms of ECC), the older versions work just
fine.

So there's kind of a vicious cycle.  If you were following best
practices for running a SSL-enabled web server, then you would have had
a vulnerable SSL-enabled web server.

michael

PS. Once the vulnerability is patched, it will again be a best practice
to run TLSv1.2.

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.