[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: My fellow (Debian) Linux users ...

On 2014-04-13, Eduardo M KALINOWSKI <eduardo@kalinowski.com.br> wrote:
> On 20h20 12 de Abril de 2014, Steve Litt wrote:
>> I'm changing every password: That's about 100 of them.
>
> That's a good thing to do, but only after the server has patched
> openssl and changed its certificate. Otherwise someone could have
> captured the private key and other information that could be used to
> eavesdrop your newly changed password.

This online tester:

http://possible.lv/tools/hb/

provides this sort of output in the critical case:

ext 65281 (renegotiation info, length=1)
ext 00011 (EC point formats, length=4)
ext 00035 (session ticket, length=0)
ext 00015 (heartbeat, length=1) <-- Your server supports heartbeat. Bug
is possible when linking against OpenSSL 1.0.1f or older. Let me check.
Actively checking if CVE-2014-0160 works: Your server appears to be
patched against this bug.

Checking your certificate
Certificate has been reissued since the 0day. Good. &lt-- Have you
changed the passwords?
Reply to: