Technical Discussion
  >> Security Related Issues


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | 3 | 4 | 5 | (show all)   Print Thread
Standard User billford
(elder) Tue 08-Apr-14 10:39:22
Print Post

OpenSSL vulnerability


[link to this post]
 
OpenSSL vulnerabilities

This page lists all security vulnerabilities fixed in released versions of OpenSSL since 0.9.6a was released on 5th April 2001.

2014

CVE-2014-0160: 7th April 2014
A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64kB of memory to a connected client or server. This issue did not affect versions of OpenSSL prior to 1.0.1. Reported by Neel Mehta.
Fixed in OpenSSL 1.0.1g (Affected 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)

In reference to heartbleed.com:
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.


Bill
A level playing field is level in both directions.

__________Fold at Home_________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User bobble_bob
(fountain of knowledge) Tue 08-Apr-14 16:19:33
Print Post

Re: OpenSSL vulnerability


[re: billford] [link to this post]
 
As serious as some of these are, ive given up caring too much about the latest vulnerability in whatever software/hardware. Scares you to death . Obly way to be safe is unplug your router
Standard User caffn8me
(knowledge is power) Wed 09-Apr-14 04:18:43
Print Post

Re: OpenSSL vulnerability


[re: bobble_bob] [link to this post]
 
In reply to a post by bobble_bob:
Obly way to be safe is unplug your router
...and wear a tin foil hat wink

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs


Register (or login) on our website and you will not see this ad.

Standard User RobertoS
(sensei) Wed 09-Apr-14 11:12:59
Print Post

Re: OpenSSL vulnerability


[re: billford] [link to this post]
 
Ha! I was just about to post the link in the Web/hosting forum, seeing as Andrew doesn't think it warrants an article at this stage. I think it relates mainly to people here running servers.

That forum looks dead though, so I checked here and found this smile.

My broadband basic info/help site - www.robertos.me.uk | Domains,site and mail hosting - Tsohost.
Connection - Plusnet UnLim Fibre (FTTC). Sync ~ 58.7/14.6Mbps @ 600m. - BQM

"Where talent is a dwarf, self-esteem is a giant." - Jean-Antoine Petit-Senn.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Allergy information: This post was manufactured in an environment where nuts are present. It may include traces of understatement, litotes and humour.
Standard User caffn8me
(knowledge is power) Wed 09-Apr-14 12:02:40
Print Post

Re: OpenSSL vulnerability


[re: RobertoS] [link to this post]
 
Of course, it's not enough just to upgrade OpenSSL but any applications compiled with it need to be recompiled.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User Ignitionnet
(knowledge is power) Wed 09-Apr-14 12:41:44
Print Post

Re: OpenSSL vulnerability


[re: billford] [link to this post]
 
I am rather grateful for the 0.9.8 version running on the relevant equipment here.

That is nasty and without a doubt the largest security vulnerability to affect the Internet in a very, very long time.
Standard User billford
(elder) Wed 09-Apr-14 12:52:38
Print Post

Re: OpenSSL vulnerability


[re: Ignitionnet] [link to this post]
 
I was rather surprised to read that it was a failure to perform bounds checking, you'd have thought that internet programmers would have learned the lesson by now- it's not exactly the first time errors like that have led to security holes crazy

Bill
A level playing field is level in both directions.

__________Fold at Home_________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User greenglide
(experienced) Wed 09-Apr-14 14:40:33
Print Post

Re: OpenSSL vulnerability


[re: billford] [link to this post]
 
I am still waiting for the first email purporting to code from Nat West / Santander / TSB / "random bank name" telling me to reset my password by clicking here ....

Got an email at work which forward the official HMG warning about it and request for emergency impact. Scary, very scary.

BT Infinity 2 - IP profile 77 / 20 - super fast!
Previously BE Unlimited - 21,000 Download 1,200 Upload but then moved house - 6,500 Down, 1Mb/s up - gutted!
Ex <n>ildram , been to SKY MAX - 15,225 Download
Standard User billford
(elder) Wed 09-Apr-14 15:00:33
Print Post

Re: OpenSSL vulnerability


[re: greenglide] [link to this post]
 
The Beeb are at it too:
Heartbleed Bug: Public urged to reset all passwords


Bill
A level playing field is level in both directions.

__________Fold at Home_________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User asrdesigns
(newbie) Wed 09-Apr-14 15:48:14
Print Post

Re: OpenSSL vulnerability


[re: billford] [link to this post]
 
So, is there any chance that this applies to our SOHO modem / routers? I read some folks saying it's only the web servers themselves that are vulnerable (which I'm inclined to not beleive) and the contrary view it affects anything with SSL traffic passing through it (which seems to me to be more plausible). Nothing on ISP web sites one way of the other, and a Tech Support guy I've just spoken to at my ISP had not even heard of HeartBleed.
Pages in this thread: 1 | 2 | 3 | 4 | 5 | (show all)   Print Thread

Jump to