[RndTbl] OpenSSL: patch it now!
Adam Thompson
athompso at athompso.net
Thu Apr 10 19:11:38 CDT 2014
Information leakage. Any query strings, post variables, responses, etc.
And if you use e.g. mod_php or mod_Perl, internal variable state.
Notably this includes *decrypted* credit card #s.
-Adam
On April 10, 2014 7:03:58 PM CDT, Paul Sierks <psierks at sierkstech.net> wrote:
>Regarding this attack, the main thing that could be compromised is the
>ssl private key. But other than that what else could be leaked?
>Anything
>in memory of the process / service being exploited. Passwords hashes
>possibly even plaintext for email, etc. As long as the process(es) in
>question aren't running as root, damage shouldn't be too bad. Things
>such as oh, the shadow file, or private ssh keys, still remaining safe.
>
>Hopefully I'm not missing anything with this vulnerability but if I am
>I'd sure like to know.
>
>Thanks,
>Paul
>
>On 04/10/2014 06:28 PM, Adam Thompson wrote:
>> Most SSL certificate providers are allowing their customers to revoke
>
>> & reissue certificates at no charge as long as none of the details
>> (including verification method) change.
>> -Adam
>>
>>
>> On April 10, 2014 6:04:18 PM CDT, Trevor Cordes
><trevor at tecnopolis.ca>
>> wrote:
>>
>> Most people have probably heard about this already, but if not,
>*patch
>> your OpenSSL now!* and restart your daemons.
>>
>> CVE-2014-0160
>>
>>
>http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/
>>
>> For some reason you (sometimes) have to reload that page a few
>times
>> before it actually loads.
>>
>> This is the worst bug I've seen in like 10 years, insofar as you
>may have
>> been compromised already, but you don't (can't!) know it and they
>may be
>> sitting there with your keys, waiting to actually make use of
>them at a
>> later date.
>>
>> From how I read it, the only way to be safe & sure is to make a
>new CSR
>> and buy a new SSL cert? Or are the cert vendors going to offer a
>"redo"
>> for free?
>>
>------------------------------------------------------------------------
>>
>> Roundtable mailing list
>> Roundtable at muug.mb.ca
>> http://www.muug.mb.ca/mailman/listinfo/roundtable
>>
>>
>> --
>> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>>
>>
>> _______________________________________________
>> Roundtable mailing list
>> Roundtable at muug.mb.ca
>> http://www.muug.mb.ca/mailman/listinfo/roundtable
>
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Roundtable mailing list
>Roundtable at muug.mb.ca
>http://www.muug.mb.ca/mailman/listinfo/roundtable
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.muug.mb.ca/pipermail/roundtable/attachments/20140410/9bc25292/attachment.html>
More information about the Roundtable
mailing list