On Wed, 9 Apr 2014, Geoffrey Thomas wrote: > This only affects certs that were used on vulnerable versions of OpenSSL with > allocation schemes that actually loaded the private key into freed memory that > could be returned. I haven't seen a valid claim that this is anywhere near a > significant fraction of the web. > > http://blog.erratasec.com/2014/04/why-heartbleed-doesnt-leak-private-key.html
Note that this has been updated by now. See also: Update: Errata Security's Robert Graham [12]has acknowledged that he was mistaken in his assessment, and that private keys could be at risk. The original story below has been marked up accordingly. […] In [17]a post to the Errata Security blog, Robert Graham explained that it is highly unlikely that private key data would be stored in the memory buffer that could be leaked using the Heartbleed exploit. “What you can eavesdrop on with Heartbleed hacks is dynamic stuff, stuff that was allocated only moments ago,” he wrote. But that assertion has been refuted, and Graham has since rescinded it, as noted above. […] Terrence Koeman of MediaMonks told Ars he found signs of attempts to use the exploit dating back to November 2013. He used the packet content of a successful exploit of the Heartbleed vulnerability to check inbound packets logged by his servers and found a number of incoming packets from a network suspected of harboring a number of “bot” servers that were apparently scans for the vulnerability—sending Heartbleed-style requests to two different development servers in requests that were about five minutes apart. [12] https://twitter.com/julianor/status/454015858042757120 By now, we must assume that private key material *can* have been leaked, and that this was being exploited five months ago already. bye, //mirabilos -- «MyISAM tables -will- get corrupted eventually. This is a fact of life. » “mysql is about as much database as ms access” – “MSSQL at least descends from a database” “it's a rebranded SyBase” “MySQL however was born from a flatfile and went downhill from there” – “at least jetDB doesn’t claim to be a database” ‣‣‣ Please, http://deb.li/mysql and MariaDB, finally die! -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
