7 Apr
2014
7 Apr
'14
6 p.m.
Arran Cudbard-Bell wrote:
That's really bad. Think we should add a configure time check to prevent the server being built against vulnerable versions?
https://www.openssl.org/news/secadv_20140407.txt ... Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS. Wow. The potential side-effects of this problem are enormous. ANY site using TLS for ANYTHING can have ANY memory read by an attacker. i.e. secrets, private keys, etc. Alan DeKok.