[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: My fellow (Debian) Linux users ...

On Sun, 13 Apr 2014, Reco wrote:
> On Sat, 12 Apr 2014 16:07:23 -0500
> John Hasler <jhasler@newsguy.com> wrote:
> > Miles Fidelman writes:
> > > Not just in Germany.  And, if you access password-protected sites that
> > > expose an https: or other SSL interface - those passwords are at risk.
> > 
> > Just TLS and just with Web servers that used the "heartbeat" kluge.
> > Still a very serious bug, though.
> Heartbleed bug is not about 'Just TLS and just with Web servers'.
> At the very least, IMAPS and openvpn are affected by this bug too.
> SSH isn't affected, though. See this for the details:
> https://www.cert.fi/en/reports/2014/vulnerability788210.html

We have verified that at least one of the IMAP servers in Debian will leak
private data (users and passwords) through Heartbleed.

And you must also understand that all data that was sent using these
services is potentially compromised as well.  Not just passwords, keys,
certificates and sessions.  It also includes the emails that were read over
a heartbleed-vulnerable IMAP, and every data that went over a
heartbleed-vulnerable VPN tunnel, for example.

There IS a reason why it was given a "Severity: Apocaliptic" label by the
best in the field:


  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to: