nanog mailing list archives
Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed"
From: Maxim Khitrov <max () mxcrypt com>
Date: Tue, 8 Apr 2014 02:05:23 -0400
It's bad. I decided to test my servers after updating them. Took me about 3 hours to write a working implementation of this attack without any prior knowledge of TLS internals. It's easy to do, pretty much impossible to detect, and it's going to spread quickly. Shut down your https sites and any other TLS services until you've updated OpenSSL, then think about changing your private keys. - Max On Tue, Apr 8, 2014 at 1:06 AM, Paul Ferguson <fergdawgster () mykolab com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I'm really surprised no one has mentioned this here yet... FYI, - - ferg Begin forwarded message:From: Rich Kulawiec <rsk () gsp org> Subject: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Date: April 7, 2014 at 9:27:40 PM EDT This reaches across many versions of Linux and BSD and, I'd presume, into some versions of operating systems based on them. OpenSSL is used in web servers, mail servers, VPNs, and many other places. Writeup: Heartbleed: Serious OpenSSL zero day vulnerability revealed http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability-revealed-7000028166/ Technical details: Heartbleed Bug http://heartbleed.com/ OpenSSL versions affected (from link just above): OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT vulnerable (released today, April 7, 2014) OpenSSL 1.0.0 branch is NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable- -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlNDg9gACgkQKJasdVTchbIrAAD9HzKaElH1Tk0oIomAOoSOvfJf 3Dvt4QB54os4/yewQQ8A/0dhFZ/YuEdA81dkNfR9KIf1ZF72CyslSPxPvkDcTz5e =aAzE -----END PGP SIGNATURE-----
Current thread:
- Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Paul Ferguson (Apr 07)
- RE: Serious bug in ubiquitous OpenSSL library: "Heartbleed" David Hubbard (Apr 07)
- Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Peter Kristolaitis (Apr 07)
- RE: Serious bug in ubiquitous OpenSSL library: "Heartbleed" David Hubbard (Apr 08)
- Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Paul S. (Apr 08)
- Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Alain Hebert (Apr 08)
- Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Peter Kristolaitis (Apr 07)
- RE: Serious bug in ubiquitous OpenSSL library: "Heartbleed" David Hubbard (Apr 07)
- Re: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Peter Kristolaitis (Apr 07)
- Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Maxim Khitrov (Apr 07)
- Re: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Randy Bush (Apr 08)
- Re: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Maxim Khitrov (Apr 08)
- Re: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Rob Seastrom (Apr 08)
- Re: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Michael Thomas (Apr 08)
- Re: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Richard Hesse (Apr 08)
- Re: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Jonathan Lassoff (Apr 08)
- Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Patrick W. Gilmore (Apr 08)
- Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Maxim Khitrov (Apr 08)
- Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed" Me (Apr 08)
- Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed" bmanning (Apr 08)