On 7 Apr 2014 21:42, "Phil Pennock" <lopsa-t...@spodhuis.org> wrote: > > If you're running OpenSSL 1.0.1 in any Internet-facing services, then > you'll want to: > > (1) Read the advisories > (2) Deploy emergency updates (either 1.0.1g or with heartbeats disabled) > (3) Figure out if you want to do key/cert rotation on assumption of > compromise > > Short version: length-checking flaw in TLS Heartbeats allows for 64kB of > memory disclosure, and the researchers have proven that they can use > this to exfiltrate the certificate's private key, and that this leaves > no audit log. Affects all releases of OpenSSL 1.0.1 prior to today's > "g" release. > > http://www.openssl.org/news/vulnerabilities.html#2014-0160 > http://heartbleed.com/
http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html "The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said." Hahahaha...
_______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
