[ale] OpenSSL Broken, Upgrade Now

Justin Goldberg justgold79 at gmail.com
Mon Apr 14 20:54:02 EDT 2014


If only your IPs could reach port 22, then you should be safe, unless one
of your hosts was breached.
On Apr 14, 2014 2:16 PM, "Edward Holcroft" <eholcroft at mkainc.com> wrote:

> This article says that ssl certificates could have been stolen:
>
>
> http://arstechnica.com/security/2014/04/private-crypto-keys-are-accessible-to-heartbleed-hackers-new-data-shows/
>
> Does this really mean I need to replace the ssl keys on every one of my
> Amazon Linux boxes, even non-web servers with access allowed only from
> pre-assigned IP addresses? Please tell me it's not so!
>
> ed
>
>
> On Mon, Apr 7, 2014 at 7:14 PM, David Tomaschik <david at systemoverlord.com>wrote:
>
>> TL;DR: Upgrade OpenSSL to >= 1.0.1g immediately, consider replacing keys.
>>  Not as bad as Debian OpenSSL bug, but worse than "goto fail;".
>>
>> "The Heartbleed Bug is a serious vulnerability in the popular OpenSSL
>> cryptographic software library. This weakness allows stealing the
>> information protected, under normal conditions, by the SSL/TLS encryption
>> used to secure the Internet. SSL/TLS provides communication security and
>> privacy over the Internet for applications such as web, email, instant
>> messaging (IM) and some virtual private networks (VPNs).
>>
>> The Heartbleed bug allows anyone on the Internet to read the memory of
>> the systems protected by the vulnerable versions of the OpenSSL software.
>> This compromises the secret keys used to identify the service providers and
>> to encrypt the traffic, the names and passwords of the users and the actual
>> content. This allows attackers to eavesdrop communications, steal data
>> directly from the services and users and to impersonate services and users."
>>
>> http://heartbleed.com
>>
>> --
>> David Tomaschik
>> OpenPGP: 0x5DEA789B
>> http://systemoverlord.com
>> david at systemoverlord.com
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>>
>
>
> --
> Edward Holcroft | Madsen Kneppers & Associates Inc.
> 11695 Johns Creek Parkway, Suite 250 | Johns Creek, GA 30097
> O (770) 446-9606 | M (770) 630-0949
>
> MADSEN, KNEPPERS & ASSOCIATES USA, MKA Canada Inc. WARNING/CONFIDENTIALITY
> NOTICE: This message may be confidential and/or privileged. If you are not
> the intended recipient, please notify the sender immediately then delete it
> - you should not copy or use it for any purpose or disclose its content to
> any other person. Internet communications are not secure. You should scan
> this message and any attachments for viruses. Any unauthorized use or
> interception of this e-mail is illegal.
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20140414/e96ffb1a/attachment.html>


More information about the Ale mailing list