WebHostingPeople

WebHostingPeople
Table of Contents
Print

OpenSSL Security Vulnerability

A recent OpenSSL security vulnerability has come to light. It is strongly recommended that servers running the vulnerable versions of OpenSSL (1.0.1 and 1.0.2beta) be promptly updated.

For more information, refer to the official advisory: OpenSSL Security Advisory [07 Apr 2014]

TLS heartbeat read overrun (CVE-2014-0160)
==========================================

A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64KB of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected, including
1.0.1f and 1.0.2-beta1.

Thanks to Neel Mehta of Google Security for finding this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 is also fixed in 1.0.2-beta2.

 

Post Your Comment

Categories