cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marcus <shadow...@gmail.com>
Subject Re: OpenSSL vunerability (bleedheart)
Date Tue, 08 Apr 2014 17:40:43 GMT
 I haven't read up on the actual mechanism, but it basically tricks
the server process into adding 64k of random memory from its process
space into the TLS heartbeat payload. That means any documents shared
over an SSL app, credentials, session keys, and anything else the
process touches.

Update your mail server as well if it allows TLS connections (do the
command above to see if TLS server extension "heartbeat" is
supported). And openvpn if you run VPN servers.

On Tue, Apr 8, 2014 at 11:31 AM, Nux! <nux@li.nux.ro> wrote:
> On 08.04.2014 18:24, Marcus wrote:
>>
>> For anyone who doesn't know, this is nightmare. People on tech sites
>> are scraping logins from each other and posting comments as other
>> users just to show they can, it's pretty powerful to be able to grab
>> random memory from a process using OpenSSL.
>
>
> How exactly does this happen? Do you know? For now I was just concerned
> someone would get my SSL key for my site and so on.
>
>
> Lucian
>
> --
> Sent from the Delta quadrant using Borg technology!
>
> Nux!
> www.nux.ro

Mime
View raw message