Serious bug in ubiquitous OpenSSL library: "Heartbleed"

Tue Apr 8 06:05:23 UTC 2014

It's bad. I decided to test my servers after updating them. Took me
about 3 hours to write a working implementation of this attack without
any prior knowledge of TLS internals. It's easy to do, pretty much
impossible to detect, and it's going to spread quickly. Shut down your
https sites and any other TLS services until you've updated OpenSSL,
then think about changing your private keys.

- Max

On Tue, Apr 8, 2014 at 1:06 AM, Paul Ferguson <fergdawgster at mykolab.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> I'm really surprised no one has mentioned this here yet...
>
> FYI,
>
> - - ferg
>
>
>
> Begin forwarded message:
>
>> From: Rich Kulawiec <rsk at gsp.org> Subject: Serious bug in
>> ubiquitous OpenSSL library: "Heartbleed" Date: April 7, 2014 at
>> 9:27:40 PM EDT
>>
>> This reaches across many versions of Linux and BSD and, I'd
>> presume, into some versions of operating systems based on them.
>> OpenSSL is used in web servers, mail servers, VPNs, and many other
>> places.
>>
>> Writeup: Heartbleed: Serious OpenSSL zero day vulnerability
>> revealed
>> http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability-revealed-7000028166/
>>
>>  Technical details: Heartbleed Bug http://heartbleed.com/
>>
>> OpenSSL versions affected (from link just above):  OpenSSL 1.0.1
>> through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT
>> vulnerable (released today, April 7, 2014) OpenSSL 1.0.0 branch is
>> NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable
>>
>
>
> - --
> Paul Ferguson
> VP Threat Intelligence, IID
> PGP Public Key ID: 0x54DC85B2
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iF4EAREIAAYFAlNDg9gACgkQKJasdVTchbIrAAD9HzKaElH1Tk0oIomAOoSOvfJf
> 3Dvt4QB54os4/yewQQ8A/0dhFZ/YuEdA81dkNfR9KIf1ZF72CyslSPxPvkDcTz5e
> =aAzE
> -----END PGP SIGNATURE-----
>