In case the impact of this isn't clear, more than likely any web
site/service you use has been vulnerable and the nature of the exploit
dumps memory from the server that might be totally unrelated to the https
service that was exploited.  In more direct terms, every password you have
anywhere on any service should be considered compromised.


On Mon, Apr 7, 2014 at 1:57 PM, der.hans <PLUGd@lufthans.com> wrote:

> moin moin,
>
> Based on the following page:
>
> OpenSSL heartbeat is enabled even if you're not using it unless you
> disabled it at compile time.
>
> The vulnerability has been in place for two years ( version 1.0.1 up until
> 1.0.1g that was just released ).
>
> It can be exploited to reveal your private key without leaving a trace.
>
> IDS can probably be configured to detect the attack.
>
> http://heartbleed.com/
>
> ciao,
>
> der.hans
> --
> #  http://www.LuftHans.com/        http://www.LuftHans.com/Classes/
> #  "The first requisite of a good citizen in this republic of ours is that
> #  he should be able and willing to pull his weight."  -- Theodore
> Roosevelt
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>



-- 
Paul Mooring
Operations Engineer
Chef