As a provider or tech supporter Here are just some notes for you to followup on: Basic Info here: http://heartbleed.com Since this has recently been highly publicized, I expect that we will see an uptick in activity on this vulnerability. Test websites: (so you can see if servers you deal with have the issue) http://filippo.io/Heartbleed/ https://github.com/FiloSottile/Heartbleed - the testing code NOTE: OpenSSH's implementation of SSL functionality with OpenSSL is limited to key generation/verification/exchange, and it doesn't appear to use the TLS heartbeat code at all. This vulnerability is related to services implementing SSL/TLS only : http://superuser.com/questions/739349/does-heartbleed-affect-ssh-keys More specifics There is a critical vulnerability that is out in the wild called Heartbleed. We need to identify and mitigate anywhere that is vulnerable. The following versions of the library are vulnerable: * *OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable* * OpenSSL 1.0.1g is NOT vulnerable * OpenSSL 1.0.0 branch is NOT vulnerable * OpenSSL 0.9.8 branch is NOT vulnerable HOWEVER- not that we cannot simply check the openssl version on a server, as distributions back port fixes to previous versions. For example, from Ubuntu 14.04 openssl change log (the second SECURITY UPDATE is the one we are discussing: openssl (1.0.1f-1ubuntu2) trusty; urgency=medium * SECURITY UPDATE: side-channel attack on Montgomery ladder implementation - debian/patches/CVE-2014-0076.patch: add and use constant time swap in crypto/bn/bn.h, crypto/bn/bn_lib.c, crypto/ec/ec2_mult.c, util/libeay.num. - CVE-2014-0076 * SECURITY UPDATE: memory disclosure in TLS heartbeat extension - debian/patches/CVE-2014-0160.patch: use correct lengths in ssl/d1_both.c, ssl/t1_lib.c. - CVE-2014-0160 -- Marc Deslauriers <marc.deslauriers at ubuntu.com> Mon, 07 Apr 2014 15:37:53 -0400 -- Rich Roth Webmaster/Steering Committee Member Hidden-tech http://www.hidden-tech.net The Talent you need is right here, Join and share your skills ((Sponsored by Thrives Media)) http://www.thrivesmedia.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.hidden-tech.net/pipermail/hidden-discuss/attachments/20140410/506bd47e/attachment.html