By Unknown Lamer from Slashdot's check-your-bounds department
writes "A potentially very serious bug in OpenSSL 1.0.1 and 1.0.2 beta has been discovered that can leak just about any information, from keys to content. Better yet, it appears to have been introduced in 2011, and known since March 2012."
Quoting the security advisory
: "A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server."
The attack may be repeated and it appears trivial to acquire the host's private key. If you were running a vulnerable release, it is even suggested that you go as far as revoking all of your keys. Distributions using OpenSSL 0.9.8 are not vulnerable (Debian Squeeze vintage). Debian Wheezy, Ubuntu 12.04.4, Centos 6.5, Fedora 18, SuSE 12.2, OpenBSD 5.4, FreeBSD 8.4, and NetBSD 5.0.2 and all following releases are vulnerable. OpenSSL released 1.0.1g today addressing the vulnerability. Debian's fix is in incoming
and should hit mirrors soon, Fedora is having some trouble applying their patches
, but a workaround patch to the package <tt>.spec</tt> (disabling heartbeats) is available for immediate application.Read Replies (0)
Book Review: Mobile HTML5
Posted by News Fetcher on April 07 '14 at 10:45 AM
By samzenpus from Slashdot's read-all-about-it department
:Michael Ross (599789)
Keep reading for the rest of Michael's review. Mobile HTML5
author Estelle Weyl
publisher O'Reilly Media
reviewer Michael Ross
summary An extensive tutorial and reference on HTML5 and CSS3Read Replies (0)