Serious OpenSSL bug renders websites wide open

itnews au ^ | on Apr 8, 2014 8:07 AM | Juha Saarinen

[Utilizer]

A serious vulnerability in the popular OpenSSL cryptographic library has been discovered that allows attackers to steal information unnoticed.

Known as the Heartbleed bug, the vulnerability allows anyone on the Internet to read the memory of systems that run vulnerable versions of OpenSSL, revealing the secret authentication and encryption keys to protect the traffic. User names, passwords and the actual content of the communications can also be read.

...

OpenSSL recommends that uses immediately upgrade to version 1.0.1g. If that's not possible, users should recompile OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag to remove the the heartbeat handshake. The 1.0.2 version of OpenSSL will be fixed with beta 2.

Debian Wheezy, Ubuntu 12.04.4 LTS, Centos 6.5, Fedora 18, OpenBSD 5.3, FreeBSD 8.4, NetBSD 5.0.2 and OpenSUSE 12.2 are all listed as vulnerable...

[Utilizer]

A bit more info at the site (and lots more ads) (use Ghostery), but the relevant info is posted here.

[Utilizer]

You might be interested in this, mate.

[SunkenCiv]

Whoopsie. Thanks Utilizer.

[Zathras]

Very interesting!!
Thanks for posting this.

[George from New England]

I wondered when this would hit FR ?

[ImaGraftedBranch]

“Debian Wheezy, Ubuntu 12.04.4 LTS, Centos 6.5, Fedora 18, OpenBSD 5.3, FreeBSD 8.4, NetBSD 5.0.2 and OpenSUSE 12.2 are all listed as vulnerable...”

It’s those pesky windows machines again....

Wait! What?

[ShadowAce]

[rarestia]

UGH! This SUCKS! I’ve got to recompile my SSL CAs due to this. I doubt it’s a big problem, but it’s a PITA.

FWIW, many large businesses use OpenSSL for certificate services. It’s inherently more secure than Windows ADCS, but it’s a bear to manage. You’d be surprised how ubiquitous this software truly is.

[rarestia]

For any Ubuntu 12.04 users:

How to patch CVE

[Utilizer]

Welcome, mate. We need to look out for one another after all.

[Utilizer]

No worries. Hope it helps many.

[Utilizer]

I wondered when this would hit FR ?

Give us a break, mate. Only posted about nineteen hours ago, and not all of us have net access 24/7. :)

[Utilizer]

This affects any machines that run these vulnerable versions of OpenSSL, including 'doze machines and maccompukers as well I would imagine. Note however that as usual it is the 'nix crowd that discovered this bug and patched it, with not a whimper from the MS pukes or macophiles. Macmachines run OS-X, I think, which is unix-based so they should really take a closer look at this.

I understand some gaming consoles also use some version of OpenSSL for online games and logins, but then again they along with the macs are primarily graphics boxen and obviously have little need for REAL computing and security.

[Utilizer]

True. It may not affect every machine out there, but for those of us with a need for good security especially businesses of any size this is a bug worth paying attention to.

[zeugma]

Fedora 20 here:

OpenSSH_6.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013

Looks OK.

[zeugma]

Reply to self... e comes before g, stoopid.

[Utilizer]

*snicker* Thanks for the laugh, mate! *grin*

[Lazamataz]

Probably hackers have discovered a purposed NSA backdoor.

[rarestia]

If you use OpenSSL to encrypt your data, you’re vulnerable. Period. I have 20 VMs in my home environment alone that I have to patch. Revoking and reassigning certificates is a nightmare. I think the worst part is not knowing: not knowing if any of my data was ever leaked. That’s what hurts the most.

[zeugma]

*snicker* Thanks for the laugh, mate! *grin*

I'm just glad that I noticed my stupidity rather than some wag here. Hard to live that kind of thing down. :-)