Bear in mind that there is no way to tell if you've been compromised or not. If you can, it's worth erring on the side of caution.
Phil Pennock <lopsa-t...@spodhuis.org> wrote: >If you're running OpenSSL 1.0.1 in any Internet-facing services, then >you'll want to: > > (1) Read the advisories > (2) Deploy emergency updates (either 1.0.1g or with heartbeats disabled) > (3) Figure out if you want to do key/cert rotation on assumption of > compromise > >Short version: length-checking flaw in TLS Heartbeats allows for 64kB of >memory disclosure, and the researchers have proven that they can use >this to exfiltrate the certificate's private key, and that this leaves >no audit log. Affects all releases of OpenSSL 1.0.1 prior to today's >"g" release. > >http://www.openssl.org/news/vulnerabilities.html#2014-0160 >http://heartbleed.com/ > >-Phil > >_______________________________________________ >Tech mailing list >Tech@lists.lopsa.org >https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech >This list provided by the League of Professional System Administrators > http://lopsa.org/ _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
