[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 08/04/14 19:21, Martijn Grooten wrote: > On Tue, Apr 08, 2014 at 07:02:49PM +0100, Simon Waters wrote: >> On 08/04/14 13:45, Martijn Grooten wrote: >>> >>> The vulnerability allows anyone to obtain a chunk of memory from a >>> vulnerably server. If that server runs OpenSSH and if OpenSSH stores >>> passwords, key phrases and/or private keys in memory, it is affected, >>> regardless of the dependency between OpenSSL and OpenSSH. >> >> Is it any memory? >> >> I would assume since it is a user space flaw, that it can only leak >> memory it can read, which would likely be 64K of its own memory space >> (on proper operating systems anyway). >> >> I've seen no commentary either way. > > Good point. You may well be right here. > > (But yes, it's only a minor relief.) > > Martijn. Oi! This is what I kept saying earlier: it's very unlikely that anything except the memory mapped to the process in question is going to be leaked, which is why I doubt SSH private keys are going to be spat out of a vulnerable Linux machine serving Apache (at least, I really, really hope not). There is still uncertainty about just how different distros link their different apps to OpenSSL though, and for which components so this still isn't a given. Simon also understands why PFS is a *major* mitigation factor in this debacle, not sure why everyone else didn't immediately grasp the value of it. And yes, Ubuntu systems definitely require rebooting after patching, it's not enough to restart services (other distros were so inconsistent in their behaviour here that for once I took the simple approach and just rebooted everything anyway, to be sure). Count yourselves lucky that you're 'only' dealing with Linux - I've got AIX, HP-UX, Solaris and a whole bunch of other big expensive and terribly supported boxes to patch and god only knows when they'll get around to rolling out official patches. At the moment I'm manually recompiling OpenSSL on these platforms with -DOPENSSL_NO_HEARTBEATS where required. Mercifully, some of these platforms are so conservative that they weren't actually running a modern enough version of OpenSSL to need fixing anyway. Thank god OpenVMS only ships OpenSSL 0.9.8, I don't think I've ever even tried to compile something on that before... So, what do you all think then? Worst bug in recent history? I'd have to go back a fair way to think of something nastier or more widespread than this. Regards -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq