[X] My Assistant

I am greatly reassured that I did not take the plunge and have all my financial and most other details being handled online a couple of decades ago, looks likely my overall caution 'might' have paid off.

Now checking all my bank accounts, and e-wallets.
That's really a pain in the ass.

At least, we are safe here.

(IMG:https://forums.e-hentai.org/uploads/post-986243-1397036629.jpg)

I am reading your passwords
With my mind

This post has been edited by mechafujoshi: Apr 9 2014, 11:48

Good job informing people about this very important issue.

"https://e-hentai.org/" has been GFW ~
o((⊙﹏⊙))o

Okay, I might be about half a day late, but I've updated the OpenSSL on my H@Home server in response to this vulnerability. If you have any servers that uses the OpenSSL, you should update them ASAP.

As for my server, the provider for my VPN haven't quite added the updated OpenSSL into their repo, so I added the OS's main repo in response.

This post has been edited by LostLogia4: Apr 9 2014, 13:18

Okay, I might be about half a day late, but I've updated the OpenSSL on my H@Home server in response to this vulnerability. If you have any servers that uses the OpenSSL, you should update them ASAP.

As for my server, the provider for my VPN haven't quite added the updated OpenSSL into their repo, so I added the OS's main repo in response.

Debian and Red Hat (at least) are is still behind, if you wanna make sure 100% that you're safe from heart bleed cross check the openssl.

CODE

$ openssl version

e.g. on latest debian weezy it still gives:

CODE

OpenSSL 1.0.1e 11 Feb 2013

which contains the heartbleed bug.

(remember that the bug is around server HTTPS, if you do not use HTTPS for anything you're good)

EDIT: You can update Debian to a decent openssl version. Thanks mechafujoshi

This post has been edited by blue penguin: Apr 9 2014, 14:49

Debian and Red Hat (at least) are still behind, if you wanna make sure 100% that you're safe from heart bleed cross check the openssl.

CODE

$ openssl version

e.g. on latest debian weezy it still gives:

CODE

OpenSSL 1.0.1e 11 Feb 2013

which contains the heartbleed bug.

Debian did issue a patch on April 7:
[www.debian.org] https://www.debian.org/security/2014/dsa-2896

For the stable distribution (wheezy), this problem has been fixed in version 1.0.1e-2+deb7u5.

They usually backport security patches to the exact version in stable to avoid introducing additional lightly-tested code or causing breakage in running systems, so stable gets a patched 1.0.1e.

>Go to your bank
>They don't say anything about it. If you don't know yet, they don't want you to know.
>Go to your hentai site
>Today's programming is pre-empted to tell you all about it

Not sure about RHEL (Red Hat), but CentOS pushed a very quick patch that simply disables the heartbeat functionality without waiting for upstream. It will still show as 1.0.1e with openssl version, but if you rpm -q openssl it will show as openssl-1.0.1e-16.el6_5.7.

Edit: There is a patch for RHEL 6 as well, I believe CentOS replaced their patch with the upstream's.

Cool, they're fast when the breach is big. From what I looked around today, the only distros from the Red Hat copies family that haven't made patches are Oracle Linux (no surprise there) and CERN's Scientific Linux (which personally I'm super pissed with, as I do have a server running https nginx with this OS (IMG:[invalid] style_emoticons/default/sad.gif) ).

For people worried about online banking, don't worry about it too much. The banks have better security, not to mention if you do get robbed your bank will help you with that. However, for your yahoo accounts you guys better start changing passwords (IMG:[invalid] style_emoticons/default/wink.gif)

Since heartbleed also affects Bitcoins I would recommend users running Bitcoin QT to move up to version 0.9.1

News: ♦♦ A bug in OpenSSL, used by Bitcoin-Qt/Bitcoin Core, could allow your bitcoins to be stolen. Immediately updating Bitcoin Core to 0.9.1 is required in some cases, especially if you're using 0.9.0. Download. More info.

[bitcoin.org] https://bitcoin.org/bin/0.9.1/ Download
[bitcointalk.org] https://bitcointalk.org/index.php?topic=562400.0 More Info

For people worried about online banking, don't worry about it too much. The banks have better security, not to mention if you do get robbed your bank will help you with that. However, for your yahoo accounts you guys better start changing passwords (IMG:[invalid] style_emoticons/default/wink.gif)

This is a dangerous thing to say, all online banking services are different and there's no doubt they employ talented people, but it doesn't mean none of them are vulnerable.

This is probably the most serious security bug since the web became mainstream, pretty scary.

[filippo.io] Heartbleed test

This'll help you find out which sites are vulnerable. The big stuff like Google, Microsoft and Amazon are fine.

Since heartbleed also affects Bitcoins I would recommend users running Bitcoin QT to move up to version 0.9.1

News: ♦♦ A bug in OpenSSL, used by Bitcoin-Qt/Bitcoin Core, could allow your bitcoins to be stolen. Immediately updating Bitcoin Core to 0.9.1 is required in some cases, especially if you're using 0.9.0. Download. More info.

[bitcoin.org] https://bitcoin.org/bin/0.9.1/ Download
[bitcointalk.org] https://bitcointalk.org/index.php?topic=562400.0 More Info

*snip*

EDIT: bad info, sorry

This post has been edited by blue penguin: Apr 10 2014, 02:43

Only if you use web wallets (don't use those) or boot the UI/integrate your bitcoin client with your browser.i.e. But do update your bitcoin client, e.g. if you plan to use the GUI in the future.

False. The GUI version of Bitcoin Core 0.9.0 was vulnerable to Heartbleed even if you didn't enable RPC SSL. It's part of their new payment request thingie (BIP 0070). Prior versions were not vulnerable, unless you enabled RPC SSL.

The bug is certain to be exploited now that it is public, but I think some of the breathless talk about all past SSL transactions being exposed is tabloid hyperbole. Exploiting this on a wide scale would require huge amounts of effort, since you get 64K of process memory per attempt, which might or might not contain keys. As a targeted attack against specific targets it is a huge problem since it could lead to silent compromise of site keys which could be used to pwn people en masse, but against individual traffic, not so much.

tl;dr if you run a service using SSL, better update your openssl and change your certs, but some guy in Moldova is not reading your Yahoo mail tonight because of this bug.

Well good news for me my passbook account at my bank is A O K as well as my cheque book account too so I am in the apparent all-clear.

Really, the only surprising thing about this is that it didn't happen sooner.
I feel reconfirmed with my policy to write any dynamic system on my websites myself.

Damn, just when I started using Google Wallet.

(I guess it doesn't affect me directly -seems like my bank account is just fine- but heartbleed will make any upcoming transaction quite scary).