Heartbleed attack on Openssl

[Sam Gleske]

On Tue, Apr 8, 2014 at 11:01 PM, Felipe Vieira <fmv1992 at gmail.com> wrote:

> Dear GNUPG community,
> I think a lot of unexperienced users would like to know more about the
> Heartbleed problem found on some of the openssl versions. I have two broad
> questions and two specific questions:
> 1) Which type of clients have been compromised (consider an ordinary user)?
> 2) Which common applications use openssl and are a potential target?
>
> 2) Are firefox users compromised?
> 3) Are RetroShare users compromised?
> Thanks in advance.
>

For the most part it is service providers who are affected by the bug.
There's a handy website to verbosely explain heartbleed.

http://heartbleed.com/

Affected services include HTTP, email servers (SMTP, POP and IMAP
protocols), chat servers (XMPP protocol), virtual private networks (SSL
VPNs), databases (e.g. mysql), and pretty much any service that uses
openssl TSL/SSL to secure transport of services if they're recently patched.

Security notices for popular server distros...
RHEL - https://access.redhat.com/site/solutions/781793
Ubuntu - http://www.ubuntu.com/usn/usn-2165-1/

CLIENT

There's not much you can do at this point.  Update your system packages and
that's about it.

SERVICE PROVIDER
Essentially you want to take the following steps if you're  service
provider.

1. Test for the vulnerability - http://pastebin.com/WmxzjkXJ it is also
prudent to search for the affected package versions across all services.
2. If vulnerable patch the OpenSSL version of public front end services
first.  Patch backend services after the front end is secure.
3. Reissue SSL private keys and certificates.  Since the leak exposes the
private key it is no longer pristine.

For the remaining more thorough steps of what to do see the
heartbleed.orgwebsite which has a nice set of instructions.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20140409/62751d13/attachment.html>