OpenSSL Security issues

[Alan DeKok]

Arran Cudbard-Bell wrote:
> That's really bad. Think we should add a configure time check to prevent
> the server being built against vulnerable versions?

  https://www.openssl.org/news/secadv_20140407.txt

...  Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

  Wow.  The potential side-effects of this problem are enormous.  ANY
site using TLS for ANYTHING can have ANY memory read by an attacker.

  i.e. secrets, private keys, etc.

  Alan DeKok.