Login
Username:

Password:

Remember me



Lost Password?

Register now!

Sections

Who's Online
127 user(s) are online (120 user(s) are browsing Forums)

Members: 2
Guests: 125

jarokuczi, Mr_byte, more...

Support us!

Headlines

 
  Register To Post  

OpenSSL bug
Home away from home
Home away from home


See User information
OpenSSL has revealed a bug that can be used to read out secure data (passwords, emails, etc.)

Quote:

OpenSSL Security Advisory [07 Apr 2014]
========================================

TLS heartbeat read overrun (CVE-2014-0160)
==========================================

A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.


I don't know if AmiSSL is still maintained or all/most of todays programs use OpenSSL, it would be good if the authors of ports or programs using OpenSSL can update their respective work once 1.0.1g becomes available.
(The Main OpenSSL porter was informed)

Go to top
Re: OpenSSL bug
Just can't stay away
Just can't stay away


See User information
AmiSSL as far as I know won't be affected by that heartbeats vulnerability, although it is vulnerable in other ways. I think AWeb was updated recently with patches to turn off features of AmiSSL to avoid a vulnerability.

AmiSSL itself would still need an update to fix its other vulnerabilities.


Edited by MickJT on 2014/4/9 19:17:49
Go to top
Re: OpenSSL bug
Home away from home
Home away from home


See User information
@MickJT

Yes, one of the AmiSSL maintainers told me that a new version is in the pipeline which will skip this bug by using the fixed source base and take care of the other known ones.

Go to top

  Register To Post

 




Currently Active Users Viewing This Thread: 1 ( 0 members and 1 Anonymous Users )




Powered by XOOPS 2.0 © 2001-2024 The XOOPS Project