On 11/04/2014 00:55, walt wrote: > On 04/09/2014 05:06 PM, Joseph wrote: >> Is gentoo effected by this new 'Heartbleed' bug? >> >> "The Heartbleed Bug is a serious vulnerability in the popular OpenSSL >> cryptographic software library...." >> >> http://heartbleed.com/ > > This topic was discussed in my favorite podcast, http://twit.tv/sn > > Steve Gibson explained that the heartbeat feature was introduced in openssl to > allow *UDP* connections to mimic the 'keepalive' function of the TCP protocol. > > IIRC Steve didn't explain how UDP bugs can compromise TCP connections. > > Anyone here really understand the underlying principles? If so, please > explain! > > Thanks. > > > > >
UDP is not compromising TCP connections. The software bug allows malicious connecting code to determine the contents of memory, which is in use by sshd. How that memory got to be there is irrelevant. There are many lengthy discussions on the internet on how this vuln works. You should read them. -- Alan McKinnon alan.mckin...@gmail.com
