On Fri, Apr 11, 2014 at 08:35:00AM +0300, Eli Billauer wrote: > Hi all, > > I suppose that the security freaks already know about this, and still, > this seems important enough for an alert. > > In a nutshell, a bug in the mechanism that allows keepalive messages to > be sent to maintain an SSL link, also allows, accidentally, a remote > attacker to read a segment of up to 64 kBytes from the server's memory. > It's doesn't give access to any chunk of 64 kBytes, but it's a segment > which is likely to be dirty with data that belongs to the process > running openSSL. So there's a chance that data related to private keys > and passwords is revealed this way. > > See http://en.wikipedia.org/wiki/Heartbleed > > I haven't found any tool checking a local SSH server, say as source code > in C. I suppose it's being avoided for the sake of not supplying the > almost-finished attack to script kiddies.
SSH is safe from this - it does not use this mechanism. Its protocol is different.Likewise is GPG is safe from this bug as it is built with GnuTLS. -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il | | a Mutt's tzaf...@cohens.org.il | | best tzaf...@debian.org | | friend _______________________________________________ Haifux mailing list Haifux@haifux.org http://haifux.org/mailman/listinfo/haifux