[Cialug] Heartbleed attack

Nicolai nicolai-cialug at chocolatine.org
Mon Apr 7 19:45:05 CDT 2014


Heartbleed is a new attack on TLS as implemented by OpenSSL.  Long story
short, it allows attackers to recover private keys, so sysadmins should
take note.  Read:

  http://heartbleed.com

OpenSSL 1.0.1 up to 1.0.1f are vulnerable.  1.0.1g released today is
not.  (It's only vulnerable to attacks the public doesn't know about yet.)

To check your version:

$ openssl version -v -b
OpenSSL 1.0.1 14 Mar 2012
built on: Mon Apr  7 20:31:55 UTC 2014

The above output is from a patched Ubuntu machine.  A fix was applied
to an older version of OpenSSL, closing the hole, hence the build date
of today.

OpenSSH is unaffected because it has nothing to do with TLS.

However, consider private keys used by OpenSSL for TLS to be compromised
as well as any traffic you may encrypted using those keys.  So it's time
to make new keys.

Nicolai


More information about the Cialug mailing list