Heads up - OpenSSL vulnerability HEARTBLEED

11 views
Skip to first unread message

Jon Spriggs

unread,
Apr 9, 2014, 7:00:28 AM4/9/14
to Geekup, PHPNW Mailing List, Free Software Manchester, HACMan, MAN...@listserv.manchester.ac.uk
I don't know if any of you follow the Security news, but there's a major issue doing the rounds at the moment in the OpenSSL library (used notably in HTTPS, but also in all sorts of other unexpected places, such as VPN software, Radius servers and Instant Messengers). It has been vulnerable since ~2011 when OpenSSL 1.0.1 was released. See http://heartbleed.com

If you have an HTTPS based site, you might want to check against your server using this tool: http://filippo.io/Heartbleed/

OpenVPN is affected, and under certain circumstances, FreeRadius is too. Some routers, switches, VPN terminators and firewalls may be affected - either via their web interfaces, or by using insecure libraries for internal processes. You should subscribe to at least any security mailing lists for any critical software and infrastructure you're using for your business or social sites (which is how I started hearing about this lot).

Regards,
--
Jon "The Nice Guy" Spriggs

Mark Baker

unread,
Apr 9, 2014, 7:29:28 AM4/9/14
to ph...@googlegroups.com
Note that it also includes PHP if compiled with openssl using the --with-openssl switch, this is likely to require an upgrade at some point if your PHP is installed from a repo (it may take repos a while to catch up with this); or a recompile (if you build your own) against the patched openssl

As a major security issue, the best thing about this is that it might force some sites running older versions of PHP to update their version as the fix becomes available.

-- 
Mark Baker
Reply all
Reply to author
Forward
0 new messages