The Heartbleed Bug is a serious vulnerability in OpenSSL (fwd)

D. Hugh Redelmeier hugh-pmF8o41NoarQT0dZR+AlfA at public.gmane.org
Tue Apr 8 15:43:05 UTC 2014 

This bug is in all current Linux systems.  It is serious.

What should you do?
(1) Avoid things involving OpenSSL.  You might not be using OpenSSL
    anyway.
(2) Do updates in a day or so when the fixes ought to be out.

More details:

OpenSSL is a library used to for SSL and TLS, the crypto behind HTTPS 
(secure web sites).  And a bunch of other things.

I think that Firefox and Chrome use a different implementation (NSS) and 
should be safe.  (Interestingly, Google announced recently that it
intends to migrate Chrome to OpenSSL.)

OpenSSL typically would be used for server processes and a few clients
(mail server and client, web servers, OpenVPN, ...).

Some things would be using GnuTLS instead of OpenSSL.

Here are the not-yet-released Fedora updates:
https://admin.fedoraproject.org/updates/openssl/

This is one Patch Tuesday we share with the Windows folk (and the last
one for WinXP).

---------- Forwarded message ----------
X-Spam-Level: 
From: Edwin Chu <edwincheese-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org>
To: cryptography-of7zbby7T3pWk0Htik3J/w at public.gmane.org, cryptography-JWVWRpNfo5ceIZ0/mPfg9Q at public.gmane.org
Date: Mon, 7 Apr 2014 14:53:06 -0700
Subject: [Cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL

Hi

A latest story for OpenSSL

http://heartbleed.com/

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL
cryptographic software library. This weakness allows stealing the
information protected, under normal conditions, by the SSL/TLS encryption
used to secure the Internet. SSL/TLS provides communication security and
privacy over the Internet for applications such as web, email, instant
messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the
systems protected by the vulnerable versions of the OpenSSL software. This
compromises the secret keys used to identify the service providers and to
encrypt the traffic, the names and passwords of the users and the actual
content. This allows attackers to eavesdrop communications, steal data
directly from the services and users and to impersonate services and users.


ed
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists

More information about the Legacy mailing list