[Cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL
Tom Mitchell
mitch at niftyegg.com
Mon Apr 7 21:58:07 EDT 2014
On Mon, Apr 7, 2014 at 2:53 PM, Edwin Chu <edwincheese at gmail.com> wrote:
> Hi
>
> A latest story for OpenSSL
>
> http://heartbleed.com/
>
> The Heartbleed Bug is a serious vulnerability in the popular OpenSSL
> cryptographic software library.
>
> rutro...
https://www.openssl.org/news/secadv_20140407.txt
OpenSSL Security Advisory [07 Apr 2014]
========================================
TLS heartbeat read overrun (CVE-2014-0160)
==========================================
A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.
Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.
Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl at chromium.org> and Bodo Moeller <bmoeller at acm.org> for
preparing the fix.
Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
1.0.2 will be fixed in 1.0.2-beta2.
--
T o m M i t c h e l l
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140407/7666bc88/attachment.html>
More information about the cryptography
mailing list