Serious bug in ubiquitous OpenSSL library: "Heartbleed"
Frank Bulk
frnkblk at iname.com
Tue Apr 8 19:12:00 UTC 2014
If we would front our HTTPS services with a (OpenSSL vulnerable)
load-balancer that does the SSL work and we just use HTTP to the service,
will that mitigate information loss that's possible with this exploit? Or
will the OpenSSL code on the load-balancer also store or "cache" content?
Frank
-----Original Message-----
From: Paul Ferguson [mailto:fergdawgster at mykolab.com]
Sent: Tuesday, April 08, 2014 12:07 AM
To: NANOG
Subject: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed"
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
I'm really surprised no one has mentioned this here yet...
FYI,
- - ferg
Begin forwarded message:
> From: Rich Kulawiec <rsk at gsp.org> Subject: Serious bug in
> ubiquitous OpenSSL library: "Heartbleed" Date: April 7, 2014 at
> 9:27:40 PM EDT
>
> This reaches across many versions of Linux and BSD and, I'd
> presume, into some versions of operating systems based on them.
> OpenSSL is used in web servers, mail servers, VPNs, and many other
> places.
>
> Writeup: Heartbleed: Serious OpenSSL zero day vulnerability
> revealed
>
http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability-revea
led-7000028166/
>
> Technical details: Heartbleed Bug http://heartbleed.com/
>
> OpenSSL versions affected (from link just above): OpenSSL 1.0.1
> through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT
> vulnerable (released today, April 7, 2014) OpenSSL 1.0.0 branch is
> NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable
>
- --
Paul Ferguson
VP Threat Intelligence, IID
PGP Public Key ID: 0x54DC85B2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iF4EAREIAAYFAlNDg9gACgkQKJasdVTchbIrAAD9HzKaElH1Tk0oIomAOoSOvfJf
3Dvt4QB54os4/yewQQ8A/0dhFZ/YuEdA81dkNfR9KIf1ZF72CyslSPxPvkDcTz5e
=aAzE
-----END PGP SIGNATURE-----
More information about the NANOG
mailing list