[Cialug] Heartbleed attack
Crouse
crouse at usalug.net
Tue Apr 8 00:43:09 CDT 2014
Well, this just ruined my night...
On Mon, Apr 7, 2014 at 7:45 PM, Nicolai <nicolai-cialug at chocolatine.org>wrote:
> Heartbleed is a new attack on TLS as implemented by OpenSSL. Long story
> short, it allows attackers to recover private keys, so sysadmins should
> take note. Read:
>
> http://heartbleed.com
>
> OpenSSL 1.0.1 up to 1.0.1f are vulnerable. 1.0.1g released today is
> not. (It's only vulnerable to attacks the public doesn't know about yet.)
>
> To check your version:
>
> $ openssl version -v -b
> OpenSSL 1.0.1 14 Mar 2012
> built on: Mon Apr 7 20:31:55 UTC 2014
>
> The above output is from a patched Ubuntu machine. A fix was applied
> to an older version of OpenSSL, closing the hole, hence the build date
> of today.
>
> OpenSSH is unaffected because it has nothing to do with TLS.
>
> However, consider private keys used by OpenSSL for TLS to be compromised
> as well as any traffic you may encrypted using those keys. So it's time
> to make new keys.
>
> Nicolai
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>
More information about the Cialug
mailing list