[TriLUG] Heartbleed on my desktop?
Aaron Joyner
aaron at joyner.ws
Wed Apr 9 08:46:21 EDT 2014
I haven't dug deeply into it, but it does not seem far fetched to consider
a scenario where you use your desktop to connect to a compromised server
via a long-lived OpenSSL session (OpenVPN, IMAP client using NOTIFY,
possibly even a modestly-long-lived / tar-pitted HTTP/1.1 session), and
that server then uses the heartbeat messages back to the client to explore
the client process' address space. Suffice to say that anything using
openssl should be upgraded.
Aaron S. Joyner
On Wed, Apr 9, 2014 at 6:05 AM, Igor Partola <igor at igorpartola.com> wrote:
> From what I understand of the bug, it only affects servers (as in apache,
> nginx, postfix, OpenVPN, etc.) Unless you are running something like that
> as a service open to the Internet you are safe. Having said that, just
> upgrade your packages.
>
> On Ubuntu 13.10, according to
> http://changelogs.ubuntu.com/changelogs/pool/main/o/openssl/openssl_1.0.1e-3ubuntu1.2/changelogversion openssl_1.0.1e-3ubuntu1.2 is the patched one. Run 'dpkg -l | grep
> openssl' to see which version you have.
>
> Igor
> --
> This message was sent to: Aaron S. Joyner <aaron at joyner.ws>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web :
> http://www.trilug.org/mailman/options/trilug/aaron%40joyner.ws
> Welcome to TriLUG: http://trilug.org/welcome
>
More information about the TriLUG
mailing list