Heartbleed

[Mike Stefanik]

For those of you using Linux, you should immediately check for any updates to OpenSSL and install them. The Heartbleed bug is a serious vulnerability in OpenSSL 1.0.1 (and later versions) that allows an attacker to read memory on the server that could contain the server's private key, usernames, passwords, etc. This doesn't affect Windows applications that use CAPI and SChannel (or the WinInet APIs), however it would affect any software that was linked against the OpenSSL libraries on Windows.

[Brice Manuel]

A bit late, but thank you for the reminder.

[Mike Stefanik]

A bit late, but thank you for the reminder.

Just to note, I had posted that on the morning of the 9th, about 24 hours after the initial public disclosure and when patches were issued for OpenSSL. I expect that most system administrators first learned about it on the afternoon of the 7th, but there was some lag between the time it was disclosed and when updates were pushed to the various repositories, etc. This was a "just in case you hadn't heard" kind of post for folks that don't regularly track security advisories.

[Brice Manuel]

I meant my reply and thank you was a bite late. ;c)

I updated my main systems, but forgot all about a couple of backup systems that I use from time to time when out and about and have access to WiFi.  Reading your post reminded to me update those too.

[Mike Stefanik]

Ah, I was thinking "Well, it was about a day after it went public, but it really wasn't that late, was it?" and that perhaps you thought I had just posted information about it today. In any case, glad to serve as the reminder. If you were running any public servers, also keep in mind that just updating the OpenSSL libraries is only half of the equation. You'll also want to request a reissue of your certificate(s) using a new private key, just in case.

[Brice Manuel]

I didn't see the thread until today, so I was merely commenting on my lateness of a thank you for the reminder.  I should have been more clear. ;c)