I completely agree.
I really did expect more from a company who commercially sells software to patch vulnerable systems.
I just installed patch 87. Prior to installing it, I deleted libeay32.dll, openssl.exe, ssleay32.dll in \apache\bin. After the patch was installed, it had copied the old and vulnerable 1.0.1i into the folder and NOT the most recent, patched version J.
I told support that patch 86 didn't have 1.0.1J included with it and that it was putting back in the insecure version i back Nov-11-2014, one month ago. This was their reply to me:
POODLE, as well as other vulnerabilities, has had a patch from OpenSSL available for every version branch for nearly 2 months now (4 days shy of the 15th). And, as of 2 days ago, come to find some implementations of TLS also are affected by the same POODLE vulnerability by not properly validating padding: http://www.zdnet.com/article/poodle-not-fixed-some-tls-systems-vulnerable/
BTW, I have enabled newsletters and did receive an update announcement at the end of November. I find it a little disheartening there is only one notification sent out a month concerning updates. I would rather be notified within a few days when a hotfix is released to see if it has anything I would like to update/patch instead of waiting potentially up to nearly a month for it. The lack of proper notification of updates for Desktop Central rather alarming as well as not patching the vulnerable components of the software.
I really did expect more from a company who commercially sells software to patch vulnerable systems.
I just installed patch 87. Prior to installing it, I deleted libeay32.dll, openssl.exe, ssleay32.dll in \apache\bin. After the patch was installed, it had copied the old and vulnerable 1.0.1i into the folder and NOT the most recent, patched version J.
I told support that patch 86 didn't have 1.0.1J included with it and that it was putting back in the insecure version i back Nov-11-2014, one month ago. This was their reply to me:
Well, patch 86 didn't have it even though they insisted it did. Patch 87 still doesn't contain updated OpenSSL. What are they waiting on?Latest build includes the Open SSL version 1.0.1 J. Let me know if you will need further assistance in this case.
POODLE, as well as other vulnerabilities, has had a patch from OpenSSL available for every version branch for nearly 2 months now (4 days shy of the 15th). And, as of 2 days ago, come to find some implementations of TLS also are affected by the same POODLE vulnerability by not properly validating padding: http://www.zdnet.com/article/poodle-not-fixed-some-tls-systems-vulnerable/
BTW, I have enabled newsletters and did receive an update announcement at the end of November. I find it a little disheartening there is only one notification sent out a month concerning updates. I would rather be notified within a few days when a hotfix is released to see if it has anything I would like to update/patch instead of waiting potentially up to nearly a month for it. The lack of proper notification of updates for Desktop Central rather alarming as well as not patching the vulnerable components of the software.