[Haifux] The Heartbeat vulnerability in OpenSSL (and hence ssh/https)
sf10095 at gmail.com
Sat Apr 26 14:20:17 IDT 2014
There is now a fork by openbsd people for openssl. It's called libressl.
They crave for more people to help.
On Tue, Apr 15, 2014 at 5:57 AM, Michael Vasiliev <lists at infoscav.net>wrote:
> If any of you guys and gals think this isn's serious, think twice. The
> CloudFlare SSL Heartbleed challenge site's SSL key was stolen within hours
> of being announced. There is a wave of security compromises all over the
> world and sane CAs are offering free renewals of SSL certificates.
> On 04/11/2014 08:35 AM, Eli Billauer wrote:
> Hi all,
> I suppose that the security freaks already know about this, and still,
> this seems important enough for an alert.
> In a nutshell, a bug in the mechanism that allows keepalive messages to
> be sent to maintain an SSL link, also allows, accidentally, a remote
> attacker to read a segment of up to 64 kBytes from the server's memory.
> It's doesn't give access to any chunk of 64 kBytes, but it's a segment
> which is likely to be dirty with data that belongs to the process
> running openSSL. So there's a chance that data related to private keys
> and passwords is revealed this way.
> See http://en.wikipedia.org/wiki/Heartbleed
> I haven't found any tool checking a local SSH server, say as source code
> in C. I suppose it's being avoided for the sake of not supplying the
> almost-finished attack to script kiddies.
> Hag Sameah,
> Haifux mailing list
> Haifux at haifux.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Haifux