OS Web

  • OpenSSL Security Advisory

    April 8, 2014 by Mark Artyniuk
  • Today, we were made aware of a critical security hole in the OpenSSL module.  Effected servers have been recompiled and rebooted.

    OpenSSL Security Advisory [07 Apr 2014]
    TLS heartbeat read overrun (CVE-2014-0160)
    A missing bounds check in the handling of the TLS heartbeat extension can be
    used to reveal up to 64k of memory to a connected client or server.
    Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
    1.0.1f and 1.0.2-beta1.
    Thanks for Neel Mehta of Google Security for discovering this bug and to
    Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
    preparing the fix.
    Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
    upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
    1.0.2 will be fixed in 1.0.2-beta2.

Powered by