[ Date Index ]
[ Thread Index ]
[ <= Previous by date /
thread ]
[ Next by date /
thread => ]
Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability
- To: list@xxxxxxxxxxxxx
- Subject: Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability
- From: Philip Hudson <phil.hudson@xxxxxxxxx>
- Date: Tue, 8 Apr 2014 11:16:07 +0100
- Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dcglug.org.uk; s=1396810045; h=Sender:Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:List-Unsubscribe:List-Id:Reply-To:Subject:To:Message-ID:Date:From:References:In-Reply-To:MIME-Version; bh=wM6A/gKw5GsG4gSIX2B0ZiUyZDQvxEoOQ7aup3OP1+c=; b=CY7tkKPlttnZmPbMyo0ysqtT7QrH9iLK9sQ9/TjcO+fr6HW0Ttu/zTOluUFvyzKE2Sz/HmYkcAwmwpRFSbeIhkQe2gnTzM4LrPNx764Dd39dcL1LCoc6REGXazvT3g8OYo39bFAU7t7zJrQmaIm4WrbMPakrq5Q2AK70Pk8AA/E=;
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:content-type; bh=mh7Vju482ibmV4ml0J6vgW353weTAW4feMXl5DWPvzo=; b=X9gXZOGFKkwF/Zok/RQC+V4Xs51hRsg+Hpyvn71X6T4MFLdZGm4KGWhI7f7F+Xy/5K 7ypRvnQjAsNnsE+JXKoxCMYeEz1mQdpWUsnMH/6+Zvz+BnqT+ZGK9uJD7H2HnHpUUv91 fpJ6Zt0+PuXEm01K1pYQBhDPrK5/OoUoGPeYuGNbxiT51DbE42u9IYWvfQYMcvonWZ6b OY8nNpDfLRWs94flYDlWl+CX3u7S8SSYc9BuFzF3S4kBdnO9i6gIHoFc3Ckl0EsRs10z bwT3BqfJEOdoAMKHVKm/f/Pe5B5Cv9QEvJo1xJCKkjwU0voU/JG0R/ubz9Spv8F1l8wi ZIow==
On 8 April 2014 11:01, Philip Hudson <phil.hudson@xxxxxxxxx> wrote:
> On second thoughts, the conclusion -- that OpenSSH private keys need
> to be considered compromised -- does not necessarily follow the
> premise (though I still think it's pretty likely). From what I've read
> so far it is not clear that the bug resides in that particular library
> as opposed to some other component (though again I think it's pretty
> likely). We need a definitive answer from someone better informed than
> me.
Still speculating: OpenSSH *login passwords* (and/or key passphrases?)
needing to be considered compromised looks (slightly) more likely than
OpenSSH private keys needing to be considered compromised.
Having said all this, I guess I should make it clear that it is not
impossible from what I've read so far that OpenSSH is not affected at
all, or only in cases involving specifically SSL/TLS credentials. I've
never encountered one myself.
So... DON'T PANIC. :-)
--
Phil Hudson http://hudson-it.no-ip.biz
@UWascalWabbit PGP/GnuPG ID: 0x887DCA63
--
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq
