[ Date Index ]
[ Thread Index ]
[ <= Previous by date /
thread ]
[ Next by date /
thread => ]
Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability
- To: list@xxxxxxxxxxxxx
- Subject: Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability
- From: Martijn Grooten <martijn@xxxxxxxxxxxxxxxxxx>
- Date: Tue, 8 Apr 2014 12:45:49 +0000
- Content-disposition: inline
- Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dcglug.org.uk; s=1396810045; h=Sender:Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:List-Unsubscribe:List-Id:Reply-To:Subject:In-Reply-To:MIME-Version:References:Message-ID:To:From:Date; bh=757aHS9Maabg9x7PpDXN47+2ixVcch/6V1H1vxdnVjY=; b=sNnjmelURA+R+CAI68Ve/L00fgUkfTIN/uQIF2r514LnQA4KquqK3R8ZMCR8CPq42uQGlt6yiDOzaotg83YCetXvdM5do9ErDTPocwJ8EbZkFI7DX1DeQt2xszLa+HfKYrlSGmLrWgvZtiQM5wnrcIWTDdwhMa7HfS2DJ7+O16Q=;
- Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=lapsedordinary.net; s=mail; t=1396961149; bh=scdisP6C0iSc9MLrwGN0yAsmUHx2O5IUdjiumCabVgc=; h=Date:From:To:Subject:Message-ID:References:MIME-Version: Content-Type:In-Reply-To; b=hnpkitNT7H5HnBceRF+pnj1tRet5pMjFck14gUeuH5Ile2M9ISD1EWkXddvyw1CAA RVkn1jrEtjkVzHHTzZnHiUlJ38YA5mQOFYKX46TyiQA+r+JcbLl98E9n4LxpaFIp2p EKn+Hp4QHfbsFoCN98AVWdw/E+zExAxqkVMdMXBY=
On Tue, Apr 08, 2014 at 11:16:07AM +0100, Philip Hudson wrote:
> Still speculating: OpenSSH *login passwords* (and/or key passphrases?)
> needing to be considered compromised looks (slightly) more likely than
> OpenSSH private keys needing to be considered compromised.
>
> Having said all this, I guess I should make it clear that it is not
> impossible from what I've read so far that OpenSSH is not affected at
> all, or only in cases involving specifically SSL/TLS credentials. I've
> never encountered one myself.
The vulnerability allows anyone to obtain a chunk of memory from a
vulnerably server. If that server runs OpenSSH and if OpenSSH stores
passwords, key phrases and/or private keys in memory, it is affected,
regardless of the dependency between OpenSSL and OpenSSH.
Martijn.
--
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq
