[Haifux] The Heartbeat vulnerability in OpenSSL (and hence ssh/https)

Sorana Fraier sf10095 at gmail.com
Sat Apr 26 14:20:17 IDT 2014


There is now a fork by openbsd people for openssl. It's called libressl.

http://www.libressl.org/

They crave for more people to help.


On Tue, Apr 15, 2014 at 5:57 AM, Michael Vasiliev <lists at infoscav.net>wrote:

>  If any of you guys and gals think this isn's serious, think twice. The
> CloudFlare SSL Heartbleed challenge site's SSL key was stolen within hours
> of being announced. There is a wave of security compromises all over the
> world and sane CAs are offering free renewals of SSL certificates.
>
>
> On 04/11/2014 08:35 AM, Eli Billauer wrote:
>
> Hi all,
>
> I suppose that the security freaks already know about this, and still,
> this seems important enough for an alert.
>
> In a nutshell, a bug in the mechanism that allows keepalive messages to
> be sent to maintain an SSL link, also allows, accidentally, a remote
> attacker to read a segment of up to 64 kBytes from the server's memory.
> It's doesn't give access to any chunk of 64 kBytes, but it's a segment
> which is likely to be dirty with data that belongs to the process
> running openSSL. So there's a chance that data related to private keys
> and passwords is revealed this way.
>
> See http://en.wikipedia.org/wiki/Heartbleed
>
> I haven't found any tool checking a local SSH server, say as source code
> in C. I suppose it's being avoided for the sake of not supplying the
> almost-finished attack to script kiddies.
>
> Hag Sameah,
>
>     Eli
>
>
>
>
> _______________________________________________
> Haifux mailing list
> Haifux at haifux.org
> http://haifux.org/mailman/listinfo/haifux
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://haifux.org/pipermail/haifux/attachments/20140426/9d68be83/attachment.html 


More information about the Haifux mailing list