OpenSSL Bug Allows Attackers To Read Memory In 64k Chunks
Bismillah (993337) writes "A potentially very serious bug in OpenSSL 1.0.1 and 1.0.2 beta has been discovered that can leak just about any information, from keys to content. Better yet, it appears to have been introduced in 2011, and known since March 2012."
Quoting the security advisory: "A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server." The attack may be repeated and it appears trivial to acquire the host's private key. If you were running a vulnerable release, it is even suggested that you go as far as revoking all of your keys. Distributions using OpenSSL 0.9.8 are not vulnerable (Debian Squeeze vintage). Debian Wheezy, Ubuntu 12.04.4, Centos 6.5, Fedora 18, SuSE 12.2, OpenBSD 5.4, FreeBSD 8.4, and NetBSD 5.0.2 and all following releases are vulnerable. OpenSSL released 1.0.1g today addressing the vulnerability. Debian's fix is in incoming and should hit mirrors soon, Fedora is having some trouble applying their patches, but a workaround patch to the package .spec (disabling heartbeats) is available for immediate application.
Now how are we supposed to collect people's private information without their knowledge? Think of the children and all of the terrorists captured with this exploit in the wild!
sincerely,
NSA
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Never trusted openssl - only use GnuTLS.
http://www.theregister.co.uk/2...
Good thing I use WIndows, so I'm safe.
*air-punch*
I knew procrastinating Debian upgrades for most of a decade would pay off! I am VINDICATED!
Silly, all "Open*" projects are owned by OpenBSD. Like OpenGL. And OpenOffice. :p
I read TFA and all I got was this lousy cookie
This bug is almost 10 years old
Well look who natively counts in binary.
Hello Joshua! Give my regards to Dr Falken.
You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC