Re: My fellow (Debian) Linux users ...
On 2014-04-13, Eduardo M KALINOWSKI <firstname.lastname@example.org> wrote:
> On 20h20 12 de Abril de 2014, Steve Litt wrote:
>> I'm changing every password: That's about 100 of them.
> That's a good thing to do, but only after the server has patched
> openssl and changed its certificate. Otherwise someone could have
> captured the private key and other information that could be used to
> eavesdrop your newly changed password.
This online tester:
provides this sort of output in the critical case:
ext 65281 (renegotiation info, length=1)
ext 00011 (EC point formats, length=4)
ext 00035 (session ticket, length=0)
ext 00015 (heartbeat, length=1) <-- Your server supports heartbeat. Bug
is possible when linking against OpenSSL 1.0.1f or older. Let me check.
Actively checking if CVE-2014-0160 works: Your server appears to be
patched against this bug.
Checking your certificate
Certificate has been reissued since the 0day. Good. <-- Have you
changed the passwords?