|
|
OpenSSL vulnerabilities
This page lists all security vulnerabilities fixed in released versions of OpenSSL since 0.9.6a was released on 5th April 2001.
2014
CVE-2014-0160: 7th April 2014
A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64kB of memory to a connected client or server. This issue did not affect versions of OpenSSL prior to 1.0.1. Reported by Neel Mehta.
Fixed in OpenSSL 1.0.1g (Affected 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.
|
|
|
|
As serious as some of these are, ive given up caring too much about the latest vulnerability in whatever software/hardware. Scares you to death . Obly way to be safe is unplug your router
|
|
|
Obly way to be safe is unplug your router ...and wear a tin foil hat 
|
|
Register (or login) on our website and you will not see this ad.
|
|
|
Ha! I was just about to post the link in the Web/hosting forum, seeing as Andrew doesn't think it warrants an article at this stage. I think it relates mainly to people here running servers.
That forum looks dead though, so I checked here and found this  .
My broadband basic info/help site - www.robertos.me.uk | Domains,site and mail hosting - Tsohost.
Connection - Plusnet UnLim Fibre (FTTC). Sync ~ 58.7/14.6Mbps @ 600m. - BQM
"Where talent is a dwarf, self-esteem is a giant." - Jean-Antoine Petit-Senn.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Allergy information: This post was manufactured in an environment where nuts are present. It may include traces of understatement, litotes and humour.
|
|
|
Of course, it's not enough just to upgrade OpenSSL but any applications compiled with it need to be recompiled.
|
|
|
|
I am rather grateful for the 0.9.8 version running on the relevant equipment here.
That is nasty and without a doubt the largest security vulnerability to affect the Internet in a very, very long time.
|
|
|
I was rather surprised to read that it was a failure to perform bounds checking, you'd have thought that internet programmers would have learned the lesson by now- it's not exactly the first time errors like that have led to security holes 
|
|
|
I am still waiting for the first email purporting to code from Nat West / Santander / TSB / "random bank name" telling me to reset my password by clicking here ....
Got an email at work which forward the official HMG warning about it and request for emergency impact. Scary, very scary.
BT Infinity 2 - IP profile 77 / 20 - super fast!
Previously BE Unlimited - 21,000 Download 1,200 Upload but then moved house - 6,500 Down, 1Mb/s up - gutted!
Ex <n>ildram , been to SKY MAX - 15,225 Download
|
|
|
The Beeb are at it too: Heartbleed Bug: Public urged to reset all passwords
|
|
|
|
So, is there any chance that this applies to our SOHO modem / routers? I read some folks saying it's only the web servers themselves that are vulnerable (which I'm inclined to not beleive) and the contrary view it affects anything with SSL traffic passing through it (which seems to me to be more plausible). Nothing on ISP web sites one way of the other, and a Tech Support guy I've just spoken to at my ISP had not even heard of HeartBleed.
|
Pages in this thread: 
Print Thread
billford
