This one is a doosy.
http://heartbleed.com/
OpenSSL introduced a heartbeat feature in 1.0.1 (Dec 2011) that contains a
bug that allows for arbitrary areas of memory to be read remotely, meaning
that anyone who can connect to your server can pull your private keys.
Apache-based web servers are the most obvious target, but there are plenty
of other things like IMAP/POP3 email servers, VPNs, Linux embedded network
appliances to name a few. OpenSSL 1.0.1g has patched this vulnerability but
even after you get the fix on your system you'll want to issue new certs
because anything issued in that window could be potentially compromised.
OpenSSL 0.9.8 is not affected.
|