D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability

 

On 8 April 2014 10:42, Philip Hudson <phil.hudson@xxxxxxxxx> wrote:
> On 8 April 2014 09:10, Martijn Grooten <martijn@xxxxxxxxxxxxxxxxxx> wrote:
>> Things rarely get more serious than this:
>>
>> http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/
>> http://heartbleed.com/
>
>
> Just checked OpenSSH dependencies in debian apt, and they do include
> libssl, so I guess OpenSSH is one of the affected apps. Damn.

On second thoughts, the conclusion -- that OpenSSH private keys need
to be considered compromised -- does not necessarily follow the
premise (though I still think it's pretty likely). From what I've read
so far it is not clear that the bug resides in that particular library
as opposed to some other component (though again I think it's pretty
likely). We need a definitive answer from someone better informed than
me.

-- 
Phil Hudson                  http://hudson-it.no-ip.biz
@UWascalWabbit                 PGP/GnuPG ID: 0x887DCA63

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq