

OpenSSL 1.0.1 allows attackers to obtain sensitive information - arunc
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160

======
hadoukenio
It's kind of ironic that there are going to be NSA employees who are pissed
that this got out. Here's a rewrite once the variable being the elephant in
the room is plugged in:

"The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do
not properly handle Heartbeart Extension packets, which allows the NSA to
obtain sensitive information from process memory via crafted packets that
trigger a buffer over-read, as demonstrated by reading private keys, related
to d1_both.c and t1_lib.c"

------
higherpurpose
Here comes NIST to state the obvious, after the fact.

~~~
easy_rider
I already saw some OpenSSL lib patches coming in on Ubuntu 13.10, I guess I
don't have to worry ?

~~~
somesay
Test tool: [http://filippo.io/Heartbleed/](http://filippo.io/Heartbleed/) (not
mine)

~~~
Obscure
I have to say I'm wary of using this for any servers I control; what if they
turn out to be vulnerable and this page is just collecting a list of machines
to examine in detail later?

Has anyone found an offline tool for checking this?

~~~
ushi
Go to the repo[0], download the code, read the code, execute.

[0]
[https://github.com/FiloSottile/Heartbleed](https://github.com/FiloSottile/Heartbleed)

~~~
Obscure
Great, thank you. Just realised the repo is linked from the page too (I didn't
stay long enough to spot it last time).

