 |
 |
This one is a doosy. http://heartbleed.com/ OpenSSL introduced a heartbeat feature in 1.0.1 (Dec 2011) that contains a bug that allows for arbitrary areas of memory to be read remotely, meaning that anyone who can connect to your server can pull your private keys. Apache-based web servers are the most obvious target, but there are plenty of other things like IMAP/POP3 email servers, VPNs, Linux embedded network appliances to name a few. OpenSSL 1.0.1g has patched this vulnerability but even after you get the fix on your system you'll want to issue new certs because anything issued in that window could be potentially compromised. OpenSSL 0.9.8 is not affected.