[nSLUG] Nasty zero day vulnerability in openssl CVE-2014-0160

Sean Rickerd srickerd at suse.com
Fri Apr 11 11:56:26 ADT 2014

FYI, if you are using SUSE, you are safe. SUSE is unaffected by Heartbleed.

Sean Rickerd
Ingénieur Commercial/Sales Engineer

>>> Julien Savoie <julien.savoie at usainteanne.ca> 4/11/2014 10:51 AM >>>
I'm using regular HTTP to take credit card orders on my site, so this
big SSL bug doesn't affect me, right?

On 11/04/14 07:31 AM, George N. White III wrote:
> The early reports indicated the bug only affected html servers using
> https,
I really hope no one actually said that, because that's stupid.  The
vulnerability is within the TLS extension heartbeat (RFC 6520), not
http.  I've had success against my own dovecot imap server.

> but now we know that clients can leak memory, including wget, curl,
> links, and git
> <https://isc.sans.edu/forums/diary./The+Other+Side+of+Heartbleed+-+Client+Vulnerabilities/17945>.
Every first I've ever been happy something in Debian was linked against

>   The heartbleed.com <http://heartbleed.com> site now says:
> "You might have networked appliances with logins secured by this buggy
> implementation of the TLS. Furthermore you might have client side
> software on your computer that could expose the data from your
> computer if you connect to compromised services."
VMWare 5.5 (at the time of writing) remains vulnerable and unpatched;

As for vulnerable clients, yes the heartbeat goes in both directions.
Fortunately most people aren't using a browser linked against openssl.

On 11/04/14 02:50 AM, Mike Spencer wrote:
> If I were contemplating the overthrow of a sovereign state, the purchase
> of nuclear weapons or just trying to disappear, I suppose I'd try to
> use PGP or GPG combined with steg and some way to defeat traffic
> analysis.
And I might use PGP/OTR to ask someone to meet me for coffee.  I'm not
sure it's wise, as a society, to only demand privacy when we're doing
something illicit.

nSLUG mailing list
nSLUG at nslug.ns.ca

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nslug.ns.ca/pipermail/nslug/attachments/20140411/619ee66a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Sean Rickerd.vcf
Type: application/octet-stream
Size: 574 bytes
Desc: not available
URL: <http://nslug.ns.ca/pipermail/nslug/attachments/20140411/619ee66a/attachment.obj>

More information about the nSLUG mailing list