<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Tue, Apr 8, 2014 at 6:43 PM, Richard Barker <span dir="ltr"><<a href="mailto:richard.barker@quietwatercourse.co.uk" target="_blank">richard.barker@quietwatercourse.co.uk</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class=""><div class="h5">On 08/04/14 18:13, Mark Croft wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
just reading this from devon linux user group , sounds serious ,<br>
bugs/flaw/hole in cryptographic software library<br>
<br>
"Researchers have discovered an extremely critical defect in the<br>
cryptographic software library an estimated two-thirds of Web servers<br>
use to identify themselves to end users and prevent the eavesdropping<br>
of passwords, banking credentials, and other sensitive data."<br>
<br>
<br>
<br>
---------- Forwarded message ----------<br>
From: Martijn Grooten <<a href="mailto:martijn@lapsedordinary.net" target="_blank">martijn@lapsedordinary.net</a>><br>
Date: 8 April 2014 09:10<br>
Subject: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability<br>
To: <a href="mailto:list@dcglug.org.uk" target="_blank">list@dcglug.org.uk</a><br>
<br>
<br>
Things rarely get more serious than this:<br>
<br>
<a href="http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/" target="_blank">http://arstechnica.com/<u></u>security/2014/04/critical-<u></u>crypto-bug-in-openssl-opens-<u></u>two-thirds-of-the-web-to-<u></u>eavesdropping/</a><br>
<a href="http://heartbleed.com/" target="_blank">http://heartbleed.com/</a><br>
<br>
Martijn.<br>
<br>
</blockquote></div></div>
I saw this earlier, it's very worrying but it seems to have been patched commendably quickly. Those of us who make use of OpenVPN might find the information at this link of interest. It seems that the OpenVPN team do need to issue a patch seperately.<br>
<br>
<a href="https://forums.openvpn.net/topic15519.html" target="_blank">https://forums.openvpn.net/<u></u>topic15519.html</a><br>
<br>
Rich.</blockquote></div></div><div class="gmail_extra"><br><div><div><div><div><div>It's a pretty serious bug, as it allows the
attacker to reveal upto 64KiB of private memory, this could potentially
include the SSL private keys! <br></div><div>The bug does only affect OpenSSL version 1.0.1 (and 1.0.2) but it affects anything using OpenSSL, eg: Apache HTTPD, OpenVPN, etc.<br><br>There is also no way to tell if you
have been exploited and what information the attacker may have got.
There are examples on the internet <br>revealing Yahoo usernames and
passwords, so I would avoid using Yahoo for the moment.<br><br></div><div>Advisory here: <a href="https://www.openssl.org/news/secadv_20140407.txt">https://www.openssl.org/news/secadv_20140407.txt</a><br><br></div>Information on the bug is here: <a href="http://heartbleed.com/">http://heartbleed.com/</a><br>
<br></div>A checker is: <a href="http://filippo.io/Heartbleed/">http://filippo.io/Heartbleed/</a><br><br></div>Ivan has also updated SSL Labs to test for the vulnerability: <a href="https://www.ssllabs.com/">https://www.ssllabs.com/</a><br>
<br></div><div>Certainly
openSUSE and Debian seem to have pushed updates as of this morning and
I suspect other distros have, or will be pushing updates shortly.<br><br></div><div>It
is essentially that people apply these patches immediately and you
should also consider revoking your SSL keys and reissuing. If your a
high <br>value site, then it might be prudent to revoke your SSL keys.<br><br></div><div>It's also worth not forgetting about any devices / appliances which may be running OpenSSL, SSL offload boxes etc.<br></div><div>
<br></div>Regards,<br></div>Chris<br></div></div>