[Nolug] SSL bug

From: Joey Kelly <joey_at_joeykelly.net>
Date: Tue, 08 Apr 2014 10:52:41 -0500
Message-ID: <53441B49.9060403@joeykelly.net>



The guy that wrote the above needs to work on his english a little, but
what's described is bad. Very bad. If either end of an ssh or SSL
connection (this includes VPNs, IPsec, Puppet, secure websites, and
other stuff) runs vulnerable code (the site lists the versions in
question), your stuff can be owned. Log into your bank? An attacker can
follow right after you and steal all your money --- that bad.

If you run Debian 7 or CentOS 6, you are vulnerable. Versions prior are
safe (I have no idea which versions of Ubuntu are based on which
versions of Debian, so if you run that, find out ASAP).

Change all your SSL certs. Regenerate your ssh keys. Once that's done,
change any password (ssh, web login, you name it) that was used on a
vulnerable server. There is no telling if the bad guys knew about this
before the bugs were found, and no way of knowing if your stuff was
accessed or not.

This is a Big Deal.

Joey Kelly
Minister of the Gospel and Linux Consultant
Nolug mailing list
Received on 04/08/14

This archive was generated by hypermail 2.2.0 : 04/09/14 EDT