If you're running OpenSSL 1.0.1 in any Internet-facing services, then you'll want to:
(1) Read the advisories
(2) Deploy emergency updates (either 1.0.1g or with heartbeats disabled)
(3) Figure out if you want to do key/cert rotation on assumption of
compromise
Short version: length-checking flaw in TLS Heartbeats allows for 64kB of
memory disclosure, and the researchers have proven that they can use
this to exfiltrate the certificate's private key, and that this leaves
no audit log. Affects all releases of OpenSSL 1.0.1 prior to today's
"g" release.
http://www.openssl.org/news/vulnerabilities.html#2014-0160
http://heartbleed.com/
-Phil
pgpc_JkZgD6tj.pgp
Description: PGP signature
_______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
