|
|
|
|
|
|
by tptacek
4449 days ago
|
|
|
Ugh, that's a horrible vulnerability. We found something similar in nginx a few years ago, and the result is that you can repeatedly open up client connections and dump server memory as it changes, revealing keys and, without any real effort, authentication info and cookies. |
|
|
our (quick) fixes are almost all done:
- recompile openssl where necessary (web, chat, mail, windows binaries) without heartbeat support
- roll related certs and keys ASAP
and then comes the painful process of suggesting all web service users roll their certs and auth.
oh, and rotate personal passwords at other sites that issue a warning about openssl...