[ Date Index ]
[ Thread Index ]
[ <= Previous by date /
thread ]
[ Next by date /
thread => ]
Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability
- To: list@xxxxxxxxxxxxx
- Subject: Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability
- From: Martijn Grooten <martijn@xxxxxxxxxxxxxxxxxx>
- Date: Tue, 8 Apr 2014 12:52:35 +0000
- Content-disposition: inline
- Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dcglug.org.uk; s=1396810045; h=Sender:Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:List-Unsubscribe:List-Id:Reply-To:Subject:In-Reply-To:MIME-Version:References:Message-ID:To:From:Date; bh=PUJ9BKmPOQ1DoDD4KeI+PWhfFhqgeo4FGRhvooe2oQY=; b=2ENqql0wgGGdDinbOBNdl8/yGE4i4u92FfvXDmf5X6wEe/nMded13wAaq5G2BtSYY5R+a23+cNC93jnetB07fiB+Hug/w0SaTahcQuqQJVf+IgloBJeONTIieFu+cXHahjjvMhMhkhCsPiVFz+D7x3vLKwQlWCDqJ4WT8wI26BM=;
- Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=lapsedordinary.net; s=mail; t=1396961555; bh=7uDgTb7ksRvBf+5SE2RFFOwdBiMSQtXa4WrmPUKgSnE=; h=Date:From:To:Subject:Message-ID:References:MIME-Version: Content-Type:In-Reply-To; b=IXk7Cw81wViUn2X0Czctghy6ByC1iKwuFZNC+IHSp8JGjwuES9K0iVIels1K2/AJy 4jC4fCjcGrfTX/OuNFvYt8HpFKr1aBrLVEBAOoh9l94qwrMLzTcMabmw5tOnkdbCqu E/WzI/A8zS37Kb0m++jA75X2rwziGwBsCeA+8uvM=
On Tue, Apr 08, 2014 at 12:45:49PM +0000, Martijn Grooten wrote:
> The vulnerability allows anyone to obtain a chunk of memory from a
> vulnerably server. If that server runs OpenSSH and if OpenSSH stores
> passwords, key phrases and/or private keys in memory, it is affected,
> regardless of the dependency between OpenSSL and OpenSSH.
If you only run SSL/TLS clients, I understand you are still vulnerable
if you connect to a server managed by the attackers. So in practise
you're slightly less vulnerable - and you would be less of a target too.
Still, upgrading is essential.
Martijn.
--
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq