[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Sheflug] OpenSSL "heartbleed" vulnerability
In case no-ones seen it (although I don't know how -- entire internet's lit
up like a beacon over the last 24 hours): there's an information disclosure
bug in OpenSSL that effectively means any webserver running specific
versions of OpenSSL 1.0.0 and 1.0.1 could be leaking information from a
random part of OpenSSL's memory space. And when I say random, I mean
random. First request might be benign, the subsequent request could contain
your server private keys.
The vulnerability report itself, with links to more information:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
See also http://heartbleed.com/ for a run-down of the bug.
Pretty much every dist has an urgent fix out for OpenSSL now, however you
should also strongly consider updating your server certificates as a result
in case they've leaked.
Cheers,
Chris
--
Chris Johnson :: cej@xxxxxxxxxxxxxxxx :: PGP 0x1DDA5B01
:: http://cej.nightwolf.org.uk/
_______________________________________________
Sheffield Linux User's Group
http://sheflug.org.uk/mailman/listinfo/sheflug_sheflug.org.uk
FAQ at: http://www.sheflug.org.uk/mailfaq.html
GNU - The Choice of a Complete Generation