heartbleed

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.

http://helpdesk.wisc.edu/page.php?id=39080

How to check for vulnerable versions of OpenSSL

TLS heartbeat read overrun (CVE-2014-0160)

Versions 1.0.1 to 1.0.1f are potentially vulnerable. Version 1.0.1g if the fixed version. Other versions of OpenSSL (1.0.0 branch, 0.9.8 branch) are not vulnerable.

A basic version check: openssl version -a

A more specific check: openssl version -a| grep -oE '1.0.1[a-g]{1}?|DOPENSSL_NO_HEARTBEATS'

This should return the version, assuming version 1.0.1x. If the OPENSSL_NO_HEARTBEATS flag shows up then it’s not vulnerable regardless of version.

heartbleed (last edited 2014-04-09 11:53:05 by bl7-103-23)