[RndTbl] OpenSSL: patch it now!

Adam Thompson athompso at athompso.net
Thu Apr 10 19:11:38 CDT 2014 

Information leakage.  Any query strings, post variables, responses, etc.
And if you use e.g. mod_php or mod_Perl, internal variable state.
Notably this includes *decrypted* credit card #s.
-Adam

On April 10, 2014 7:03:58 PM CDT, Paul Sierks <psierks at sierkstech.net> wrote:
>Regarding this attack, the main thing that could be compromised is the 
>ssl private key. But other than that what else could be leaked?
>Anything 
>in memory of the process / service being exploited. Passwords hashes 
>possibly even plaintext for email, etc. As long as the process(es) in 
>question aren't running as root, damage shouldn't be too bad. Things 
>such as oh, the shadow file, or private ssh keys, still remaining safe.
>
>Hopefully I'm not missing anything with this vulnerability but if I am 
>I'd sure like to know.
>
>Thanks,
>Paul
>
>On 04/10/2014 06:28 PM, Adam Thompson wrote:
>> Most SSL certificate providers are allowing their customers to revoke
>
>> & reissue certificates at no charge as long as none of the details 
>> (including verification method) change.
>> -Adam
>>
>>
>> On April 10, 2014 6:04:18 PM CDT, Trevor Cordes
><trevor at tecnopolis.ca> 
>> wrote:
>>
>>     Most people have probably heard about this already, but if not,
>*patch
>>     your OpenSSL now!* and restart your daemons.
>>
>>     CVE-2014-0160
>>
>>    
>http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/
>>
>>     For some reason you (sometimes) have to reload that page a few
>times
>>     before it actually loads.
>>
>>     This is the worst bug I've seen in like 10 years, insofar as you
>may have
>>     been compromised already, but you don't (can't!) know it and they
>may be
>>     sitting there with your keys, waiting to actually make use of
>them at a
>>     later date.
>>
>>      From how I read it, the only way to be safe & sure is to make a
>new CSR
>>     and buy a new SSL cert?  Or are the cert vendors going to offer a
>"redo"
>>     for free?
>>    
>------------------------------------------------------------------------
>>
>>     Roundtable mailing list
>>     Roundtable at muug.mb.ca
>>     http://www.muug.mb.ca/mailman/listinfo/roundtable
>>
>>
>> -- 
>> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>>
>>
>> _______________________________________________
>> Roundtable mailing list
>> Roundtable at muug.mb.ca
>> http://www.muug.mb.ca/mailman/listinfo/roundtable
>
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Roundtable mailing list
>Roundtable at muug.mb.ca
>http://www.muug.mb.ca/mailman/listinfo/roundtable

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.muug.mb.ca/pipermail/roundtable/attachments/20140410/9bc25292/attachment.html>

More information about the Roundtable mailing list