<div dir="ltr"><div>There is now a fork by openbsd people for openssl. It's called libressl. <br><br><a href="http://www.libressl.org/">http://www.libressl.org/</a><br><br></div>They crave for more people to help. <br>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Apr 15, 2014 at 5:57 AM, Michael Vasiliev <span dir="ltr"><<a href="mailto:firstname.lastname@example.org" target="_blank">email@example.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="direction:ltr" bgcolor="#FFFFFF" text="#000000">
<div>If any of you guys and gals think this
isn's serious, think twice. The CloudFlare SSL Heartbleed
challenge site's SSL key was stolen within hours of being
announced. There is a wave of security compromises all over the
world and sane CAs are offering free renewals of SSL certificates.<div class=""><br>
On 04/11/2014 08:35 AM, Eli Billauer wrote:<br>
I suppose that the security freaks already know about this, and still,
this seems important enough for an alert.
In a nutshell, a bug in the mechanism that allows keepalive messages to
be sent to maintain an SSL link, also allows, accidentally, a remote
attacker to read a segment of up to 64 kBytes from the server's memory.
It's doesn't give access to any chunk of 64 kBytes, but it's a segment
which is likely to be dirty with data that belongs to the process
running openSSL. So there's a chance that data related to private keys
and passwords is revealed this way.
See <a href="http://en.wikipedia.org/wiki/Heartbleed" target="_blank">http://en.wikipedia.org/wiki/Heartbleed</a>
I haven't found any tool checking a local SSH server, say as source code
in C. I suppose it's being avoided for the sake of not supplying the
almost-finished attack to script kiddies.
Haifux mailing list<br>
<a href="http://haifux.org/mailman/listinfo/haifux" target="_blank">http://haifux.org/mailman/listinfo/haifux</a><br>