Hi all, I suppose that the security freaks already know about this, and still, this seems important enough for an alert.
In a nutshell, a bug in the mechanism that allows keepalive messages to be sent to maintain an SSL link, also allows, accidentally, a remote attacker to read a segment of up to 64 kBytes from the server's memory. It's doesn't give access to any chunk of 64 kBytes, but it's a segment which is likely to be dirty with data that belongs to the process running openSSL. So there's a chance that data related to private keys and passwords is revealed this way. See http://en.wikipedia.org/wiki/Heartbleed I haven't found any tool checking a local SSH server, say as source code in C. I suppose it's being avoided for the sake of not supplying the almost-finished attack to script kiddies. Hag Sameah, Eli -- Web: http://www.billauer.co.il _______________________________________________ Haifux mailing list Haifux@haifux.org http://haifux.org/mailman/listinfo/haifux
