[ Date Index ]
[ Thread Index ]
[ <= Previous by date /
thread ]
[ Next by date /
thread => ]
Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability
- To: list@xxxxxxxxxxxxx
- Subject: Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability
- From: Philip Hudson <phil.hudson@xxxxxxxxx>
- Date: Tue, 8 Apr 2014 10:37:29 +0100
- Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dcglug.org.uk; s=1396810045; h=Sender:Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:List-Unsubscribe:List-Id:Reply-To:Subject:To:Message-ID:Date:From:References:In-Reply-To:MIME-Version; bh=WH5p/amcVtXl2XOJA98fB+XB0/t25V0qmZG3m2EOvts=; b=V9ewnpS4ZRW8ZopPH4pB2X2u4Zyv/uFbiIpDcAs1hhfipRJaUSg+lY2NoX/OrSsWshCOh7Tbw2Rjye8sp0zgfNnx/765NOhfpHIIJiIR924io2Wq3uoknyuhfDjyphSstjbMoIsDrS4JfblUSsudvexq7Ktzh35KC6XDj3phM0k=;
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:content-type; bh=PMCJnzIdCEDqdoES97y4XJKHGlt3XVOsPxAtYqNa9TY=; b=l9GflGr5FAJwI8vPVR27p2SdJvks4jPJk5HkG+7iOB6JJ6p0tPB75HOpYPrIzqeAsa XVuacE3S0dNe0dLHsUwLfE5HhTlawjMs+117GzBhY41aPk7q3tvROMj8caqCDd/J2rNh GtTwPQNL53ydAnUzfSCpESF01GL9vN/Wp9heaVLhRIFLYXlPYoN9zUcf53L+q5BFAypn dCnKMuFPAqZNiVjKXMjGlg+SIrmmK5ZosHvOQmOnZzh0Y1SIX2TqlW9v/3L/HHwATAnN NW9hHlZJBwNB/z3Zj4qxqqPHYn9tfN6KxQwlzEnQyB9lgiQYQSRh2ZpJgUWEejVEjGeS M7Fw==
On 8 April 2014 10:27, Rob Beard <rob@xxxxxxxxxxxxxxx> wrote:
> On Tue, 8 Apr 2014 08:10:20 +0000, Martijn Grooten
> <martijn@xxxxxxxxxxxxxxxxxx> wrote:
>> Things rarely get more serious than this:
>>
>>
> http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/
>> http://heartbleed.com/
>>
>> Martijn.
>
> I've spent the morning updating our Debian servers at work, but there's
> something I wasn't entirely clear about. According to the Ars article the
> Private Keys can be recovered, am I right in thinking this would affect SSL
> keys, TLS keys on e-mail servers and keys used on OpenVPN?
I'll defer to Martijn, but while awaiting his response: AFAICT the
answer is yes, if the keys are in use by servers/apps that call the
OpenSSL libraries, eg Apache and Nginx. Hence the word "laborious" in
the second article.
--
Phil Hudson http://hudson-it.no-ip.biz
@UWascalWabbit PGP/GnuPG ID: 0x887DCA63
--
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq