[ALUG] OpenSSL bug.
Andreas Tauscher
ta at geuka.net
Tue Apr 8 13:05:35 EAT 2014
The security issue CVE-2014-0160 [1][2] describes an implementation bug
in OpenSSL.
The Hartbleed named bug enables an remote attacker to extract the
private key from a server used for the encryption.
With this key you can decrypt any recorded (if you are not using PFS)
traffic or even doing it in real-time as man in the middle.
Affected is beside openssl any software linked against libopenssl.
Affected versions are:
OpenSSL 1.0.1 up to 1.0.1f
Affected distributions:
Debian Wheezy (stable)
Ubuntu 12.04.4 LTS,
CentOS 6.5,
Fedora 18,
OpenSUSE 12.2,
OpenBSD 5.3
OpenBSD 5.4
FreeBSD 8.4
FreeBSD 9.1
NetBSD 5.0.2
All this distributions have already released updates.
To be on the really safe side you should recreate after updating all
private keys used on a vulnerable system.
Andreas
[1] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
[2] http://heartbleed.com/
More information about the Linux
mailing list