Re: [Nolug] SSL bug

From: Joey Kelly <>
Date: Tue, 08 Apr 2014 11:39:08 -0500
Message-ID: <>

On 04/08/2014 11:01 AM, Brad Bendily wrote:
> Red Hat has released a fix for their OS:

Yes, but unfortunately the horse is already out of the barn.

Want more scary? There are zillions of fire-and-forget linux servers out
there that will never be patched. Fixed your stuff? Great, but it's
likely that sites you visit haven't.

What about phones and tablets? Has google said what versions of android
have this bug? It's not just the server end that's vulnerable.


> On Tue, Apr 8, 2014 at 10:52 AM, Joey Kelly <> wrote:
>> Guys,
>> The guy that wrote the above needs to work on his english a little, but
>> what's described is bad. Very bad. If either end of an ssh or SSL
>> connection (this includes VPNs, IPsec, Puppet, secure websites, and
>> other stuff) runs vulnerable code (the site lists the versions in
>> question), your stuff can be owned. Log into your bank? An attacker can
>> follow right after you and steal all your money --- that bad.
>> If you run Debian 7 or CentOS 6, you are vulnerable. Versions prior are
>> safe (I have no idea which versions of Ubuntu are based on which
>> versions of Debian, so if you run that, find out ASAP).
>> Change all your SSL certs. Regenerate your ssh keys. Once that's done,
>> change any password (ssh, web login, you name it) that was used on a
>> vulnerable server. There is no telling if the bad guys knew about this
>> before the bugs were found, and no way of knowing if your stuff was
>> accessed or not.
>> This is a Big Deal.
>> --
>> Joey Kelly
>> Minister of the Gospel and Linux Consultant
>> 504-239-6550
>> ___________________
>> Nolug mailing list
Nolug mailing list
Received on 04/08/14

This archive was generated by hypermail 2.2.0 : 04/08/14 EDT