How do I determine whether or not the web servers I run are affected? They are Apache 2.4, built for 64 bit Windows and downloaded from Apachelounge. I have no idea what version of openssl it was built with. Does anyone here know if the feature that introduces the risk can be turned off, without introducing other risks? If so, how?
Also, could the security keys we bought have been compromised? Any advice on how I can protect my servers better would be appreciated. Thanks Ted -- R.E.(Ted) Byers, Ph.D.,Ed.D. On Mon, Apr 7, 2014 at 4:31 PM, OpenSSL <open...@openssl.org> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > OpenSSL Security Advisory [07 Apr 2014] > ======================================== > > TLS heartbeat read overrun (CVE-2014-0160) > ========================================== > > A missing bounds check in the handling of the TLS heartbeat extension can > be > used to reveal up to 64k of memory to a connected client or server. > > Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including > 1.0.1f and 1.0.2-beta1. > > Thanks for Neel Mehta of Google Security for discovering this bug and to > Adam Langley <a...@chromium.org> and Bodo Moeller <bmoel...@acm.org> for > preparing the fix. > > Affected users should upgrade to OpenSSL 1.0.1g. Users unable to > immediately > upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS. > > 1.0.2 will be fixed in 1.0.2-beta2. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > > iQIcBAEBCAAGBQJTQt1bAAoJENNXdQf6QOniGhkP/AjjZgV+g7ZyxnxdnvA2+sdV > sxNso208Cod8DKnDONtXHuPTkTFfyHl72FM1ea99woe3X6JWj3PyiZGvSfeo4Jj/ > QiDJvvcHc5Xq00gAr6MIarhMJbRtYkM+Th6PPXyqODYcb/pDoqy5VWo/R9QkZTPn > zaiXPyapJB/qSYo4UqXWerT9YTLdYmiro//kQN0U/SedF/fNz4CEBcMyz6z7YJAC > LFoE6Vf54PAkNvxjcX9ugIKluBMk5YONRG8PB0X/UDwf9Kj4L6OTT51x1yeFw3Sg > GzTqvKD+2JWzFDCcfJULRCSCEwHhKbjR7n3sI1RPaaEWp5E63+9HSMRYjVOFIwt/ > OTrMPbW1BEiX0A7NB7HSrrvddnYd3sz8A44v00oesr+XaW5nyu79IndQwLhPkKYF > Dkb67quw/tfV6Y1r4sETqSd2FrM7MpFzltywMKzVKWNpMSwOAWSBGUl7VH0m84Ty > zAufUSEnYIA3dMC2DnHie+ot4WnjJlTErBmfUb/QNbNYDt0vjhS60oydP1NJ8AlG > aoUK7mslOlVCauAIeGNbi4PzJ+LvWYmyFFGT+M1/UOBZFFvG7jsReBjTIu9dg3Za > S7NE7CeMvRRpOEm1+T9L8a26/c6C9dwF7JPQvMpTR3BeT2jjkYe8rdTCkT91g1sd > J37YgDNuefzrsA+B5/o7 > =szjb > -----END PGP SIGNATURE----- > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
