14 comments

[ 3.5 ms ] story [ 53.2 ms ] thread
Here comes NIST to state the obvious, after the fact.
I already saw some OpenSSL lib patches coming in on Ubuntu 13.10, I guess I don't have to worry ?
Test tool: http://filippo.io/Heartbleed/ (not mine)
I have to say I'm wary of using this for any servers I control; what if they turn out to be vulnerable and this page is just collecting a list of machines to examine in detail later?

Has anyone found an offline tool for checking this?

find /usr/lib -name libssl* -print

Status of different versions:

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT vulnerable OpenSSL 1.0.0 branch is NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable

This test tool doesn't seem to work properly on servers using self-signed certificates.
(comment deleted)
It's kind of ironic that there are going to be NSA employees who are pissed that this got out. Here's a rewrite once the variable being the elephant in the room is plugged in:

"The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeart Extension packets, which allows the NSA to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c"

(comment deleted)