[ Date Index ]
[ Thread Index ]
[ <= Previous by date /
thread ]
[ Next by date /
thread => ]
Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability
- To: list@xxxxxxxxxxxxx
- Subject: Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability
- From: Philip Hudson <phil.hudson@xxxxxxxxx>
- Date: Tue, 8 Apr 2014 11:01:23 +0100
- Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dcglug.org.uk; s=1396810045; h=Sender:Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:List-Unsubscribe:List-Id:Reply-To:Subject:To:Message-ID:Date:From:References:In-Reply-To:MIME-Version; bh=ehOdfOjo2upOgsMNy1zvOhw9uZoAnVH8SWz9T2glrMU=; b=HZ7MhayfCIwBcJtKuYv7oaiHKJF9PlF8aIdGBoYSrPzPQsLKCGxD5NZ6bvofr4Q5Nd3jpZdGdukN5cv/unGbWLa0x0aOwAfmKingwOGt8ba+s0Bp+b4qscBCFjoQ86As1hZh4mxmSxil8+PZq67tlCxEdV9c7XdhsxZm5taCkto=;
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:content-type; bh=kFn4oF4ugCEpUOxs6Ozxfwc3zHR/v0ZBdSD5yc2oAFU=; b=ZZ81WLMP34n538n2H11eqc7oSlFQUkFDM+GJetPTLQ2Wh4XsSivMfUrWr/ieeJIPLU orNj9kQTm0mO0AxR1F1mX3z4Y5rDaJ7RVT2M+uD1mQH1Ih0HngEWFRc/FPwd+4luwBne ankwQ0RIR2pUL/Rn9I6nG/4TjjmtaXTZeFjkYQ3HQak0OrzG6YLAQ7maJjH0XyL/ExS9 gN+WLgkpU5fch/CSBamNF+JeR51gPqjhqjNuueCoENmiHLqsWy+K9jLSwTkFdenNcXDd rLRBNsQ87u4bbS4aOixFkobkI5ccotsNBVABUMDObdKAOEMUiIf3Rls8g4is59aD/yZE VVGg==
On 8 April 2014 10:42, Philip Hudson <phil.hudson@xxxxxxxxx> wrote:
> On 8 April 2014 09:10, Martijn Grooten <martijn@xxxxxxxxxxxxxxxxxx> wrote:
>> Things rarely get more serious than this:
>>
>> http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/
>> http://heartbleed.com/
>
>
> Just checked OpenSSH dependencies in debian apt, and they do include
> libssl, so I guess OpenSSH is one of the affected apps. Damn.
On second thoughts, the conclusion -- that OpenSSH private keys need
to be considered compromised -- does not necessarily follow the
premise (though I still think it's pretty likely). From what I've read
so far it is not clear that the bug resides in that particular library
as opposed to some other component (though again I think it's pretty
likely). We need a definitive answer from someone better informed than
me.
--
Phil Hudson http://hudson-it.no-ip.biz
@UWascalWabbit PGP/GnuPG ID: 0x887DCA63
--
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq