[ale] OpenSSL Broken, Upgrade Now

Justin Goldberg justgold79 at gmail.com
Wed Apr 16 01:08:25 EDT 2014


Ok, right, that somehow slipped my mind. It's probably better to be safe
than sorry and update.
On Apr 15, 2014 9:23 AM, "Lightner, Jeff" <JLightner at dsservices.com> wrote:

>   Sorry but that's wrong.   Port 22 is the default for ssh (and scp/sftp
> by etension) but some folks change the port.  While ssh etc... use openssl
> they are NOT the only tools that do so.  https does as well which is why
> there is discussion about SSL certificates.
>
>
>
>
>
> *From:* ale-bounces at ale.org [mailto:ale-bounces at ale.org] *On Behalf Of *Justin
> Goldberg
> *Sent:* Monday, April 14, 2014 8:55 PM
> *To:* Atlanta Linux Enthusiasts
> *Subject:* Re: [ale] OpenSSL Broken, Upgrade Now
>
>
>
> If only your IPs could reach port 22, then you should be safe, unless one
> of your hosts was breached.
>
> On Apr 14, 2014 2:16 PM, "Edward Holcroft" <eholcroft at mkainc.com> wrote:
>
> This article says that ssl certificates could have been stolen:
>
>
>
>
> http://arstechnica.com/security/2014/04/private-crypto-keys-are-accessible-to-heartbleed-hackers-new-data-shows/
>
>
>
> Does this really mean I need to replace the ssl keys on every one of my
> Amazon Linux boxes, even non-web servers with access allowed only from
> pre-assigned IP addresses? Please tell me it's not so!
>
>
>
> ed
>
>
>
> On Mon, Apr 7, 2014 at 7:14 PM, David Tomaschik <david at systemoverlord.com>
> wrote:
>
> TL;DR: Upgrade OpenSSL to >= 1.0.1g immediately, consider replacing keys.
>  Not as bad as Debian OpenSSL bug, but worse than "goto fail;".
>
>
>
> "The Heartbleed Bug is a serious vulnerability in the popular OpenSSL
> cryptographic software library. This weakness allows stealing the
> information protected, under normal conditions, by the SSL/TLS encryption
> used to secure the Internet. SSL/TLS provides communication security and
> privacy over the Internet for applications such as web, email, instant
> messaging (IM) and some virtual private networks (VPNs).
>
>
>
> The Heartbleed bug allows anyone on the Internet to read the memory of the
> systems protected by the vulnerable versions of the OpenSSL software. This
> compromises the secret keys used to identify the service providers and to
> encrypt the traffic, the names and passwords of the users and the actual
> content. This allows attackers to eavesdrop communications, steal data
> directly from the services and users and to impersonate services and users."
>
>
>
> http://heartbleed.com
>
>
>
> --
> David Tomaschik
> OpenPGP: 0x5DEA789B
> http://systemoverlord.com
> david at systemoverlord.com
>
>
>
>
>
>
>   _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
>
>
>
> --
>
> Edward Holcroft | Madsen Kneppers & Associates Inc.
> 11695 Johns Creek Parkway, Suite 250 | Johns Creek, GA 30097
> O (770) 446-9606 | M (770) 630-0949
>
>
> MADSEN, KNEPPERS & ASSOCIATES USA, MKA Canada Inc. WARNING/CONFIDENTIALITY
> NOTICE: This message may be confidential and/or privileged. If you are not
> the intended recipient, please notify the sender immediately then delete it
> - you should not copy or use it for any purpose or disclose its content to
> any other person. Internet communications are not secure. You should scan
> this message and any attachments for viruses. Any unauthorized use or
> interception of this e-mail is illegal.
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
>
>
>
> Athena(R), Created for the Cause(tm)
>
> Making a Difference in the Fight Against Breast Cancer
>
>
>
>
>
> ---------------------------------
> CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential
> information and is for the sole use of the intended recipient(s). If you
> are not the intended recipient, any disclosure, copying, distribution, or
> use of the contents of this information is prohibited and may be unlawful.
> If you have received this electronic transmission in error, please reply
> immediately to the sender that you have received the message in error, and
> delete it. Thank you.
> ----------------------------------
>
>
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20140416/75fc6db8/attachment.html>


More information about the Ale mailing list