| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAKLh_qxJgf5jnRb83HzH0fAtH43VWA5KmAv7vZ1JEkUG3_NhHQ@mail.gmail.com> Date: Fri, 11 Apr 2014 07:54:08 +1000 From: "Ivan .Heca" <ivanhec@...il.com> To: David Tomaschik <david@...temoverlord.com> Cc: fulldisclosure@...lists.org Subject: Re: [FD] heartbleed OpenSSL bug CVE-2014-0160 In what appears to be his first comments to the media since the bug was uncovered, Robin Seggelmann said how the bug made its way into live code could "be explained pretty easily". http://m.smh.com.au/it-pro/security-it/man-who-introduced-serious-heartbleed-security-flaw-denies-he-inserted-it-deliberately-20140410-zqta1.html On 11/04/2014 7:15 AM, "David Tomaschik" <david@...temoverlord.com> wrote: > Apache wouldn't have anything in its logs, nor would any application. > OpenSSL sees the heartbeat request and responds on its own, the fact that > a heartbeat occurred never hits the application (it stays entirely within > libssl). > > > On Thu, Apr 10, 2014 at 10:20 AM, Ingo Schmitt < > ingo.schmitt@...arysignals.net> wrote: > > > Is it traceable with the log files when an (successful) attack occurred? > > > > If yes, we could determine whether the vuln has been used by the bad > > guys before. I'm no expert in dealing with apache log files, so I ask > > you ;) > > > > > > On 04/08/14 02:10, Kirils Solovjovs wrote: > > > We are doomed. > > > > > > Description: http://www.openssl.org/news/vulnerabilities.html > > > Article dedicated to the bug: http://heartbleed.com/ > > > Tool to check if TLS heartbeat extension is supported: > > > http://possible.lv/tools/hb/ > > > > > > A missing bounds check in the handling of the TLS heartbeat extension > > > can be used to reveal up to 64kB of memory to a connected client or > > server. > > > > > > 1.0.1[ abcdef] affected. > > > > > > > > > P.S. Happy Monday! > > > > > > _______________________________________________ > > > Sent through the Full Disclosure mailing list > > > http://nmap.org/mailman/listinfo/fulldisclosure > > > Web Archives & RSS: http://seclists.org/fulldisclosure/ > > > > > > > -- > > --\___________________________________________________ > > ingo.schmitt@...arysignals.net - GnuPG ID: 0xAFD687D2 | > > FP: 7418 77A6 4B59 AF90 4A11 1CCE 91C9 FF1B AFD6 87D2 | > > > > _______________________________________________ > > Sent through the Full Disclosure mailing list > > http://nmap.org/mailman/listinfo/fulldisclosure > > Web Archives & RSS: http://seclists.org/fulldisclosure/ > > > > > > -- > David Tomaschik > OpenPGP: 0x5DEA789B > http://systemoverlord.com > david@...temoverlord.com > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists