[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 08/04/14 16:18, Martijn Grooten wrote: > Not sure how much more evidence you want than the screenshot in the > Fox-IT blog post. Others have reported the same. It's probably harder if > you are looking for specific data, but still. A lot of very bad things > can be done with random secret data. Gah... that was entirely my fault: between noscript and request-policy, I hadn't seen it (it wasn't loading) on the page. Had to enable some blogger* cross domain requests and up it popped. Sorry about that. > "Updated my post to include info about sbrk and mmap. I'm not longer > skeptical about #Heartbleed sec key leakage. It could happen! Update!" Oh dear, I hadn't seen that either. Fair enough, I think you've convinced me that my earlier self-assurance about reasonable doubt for extraordinary claims was a bit too optimistic after all. I've done most of the work and mitigation already but am going to have to stay right on my toes for the next few days, and probably then some, looking for issues. As you've said, swiping more arbitrary data from affected servers is looking more and more reliable. I'd still like someone *really* in a position to know to clarify to the world exactly which subsystems on which versions of which OS are vulnerable - we know OpenBSD SSH doesn't link against OpenSSL so is safe, but ldd and strings on various linux distros against SSH components is much less clear. For the moment there's not a lot I can do about it as there's no rest for the wicked: 10 minutes into my nap I was woken up and reminded that it's now Patch Tuesday and I have a bunch of Windows boxes to worry about instead. What a day. Regards -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq