<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Tue, Apr 8, 2014 at 7:32 PM, David Goodwin <span dir="ltr"><<a href="mailto:david@codepoets.co.uk" target="_blank">david@codepoets.co.uk</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class=""><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
It's a pretty serious bug, as it allows the attacker to reveal upto 64KiB of private memory, this could potentially include the SSL private keys!<br>
The bug does only affect OpenSSL version 1.0.1 (and 1.0.2) but it affects anything using OpenSSL, eg: Apache HTTPD, OpenVPN, etc.<br>
</blockquote>
<br></div>
Yes. Unfortunately it's the case that if you hadn't upgraded to Debian Wheezy (and were still on Squeeze) that you would have been safe. Annoyingly I upgraded my mail server less than a week ago :-(<br>
<br>
Now to question which banks (if any) have been compromised/hit<br></blockquote><div><br></div>Most banks will be running older stacks. Few are offering TLS 1.1 or TLS 1.2 yet nor forward secrecy. <br>For example NatWest doesn't even offer AES cipher suites, forcing RC4 or 3DES. Ultimately most banks <br>
don't actively care about their SSL configurations.<br></div><div class="gmail_quote"><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
See also : <a href="https://lwn.net/Articles/593683/" target="_blank">https://lwn.net/Articles/<u></u>593683/</a><br>
<br>
<br>
David<br>
<br>
<br>
--<br>
David Goodwin<br>
<a href="http://codepoets.co.uk" target="_blank">http://codepoets.co.uk</a><div class="HOEnZb"><div class="h5"><br>
<br>
<br>
______________________________<u></u>_________________<br>
Wolves LUG mailing list<br>
Homepage: <a href="http://www.wolveslug.org.uk/" target="_blank">http://www.wolveslug.org.uk/</a><br>
Mailing list: <a href="mailto:Wolves@mailman.lug.org.uk" target="_blank">Wolves@mailman.lug.org.uk</a><br>
Mailing list home: <a href="https://mailman.lug.org.uk/mailman/listinfo/wolves" target="_blank">https://mailman.lug.org.uk/<u></u>mailman/listinfo/wolves</a><br>
</div></div></blockquote></div><br></div></div>