Thu Oct 29 12:11:38 2020
EVENTS
 FREE
SOFTWARE
INSTITUTE

POLITICS
JOBS
MEMBERS'
CORNER

MAILING
LIST

NYLXS Mailing Lists and Archives
NYLXS Members have a lot to say and share but we don't keep many secrets. Join the Hangout Mailing List and say your peice.

DATE 2014-04-01

HANGOUT

2020-10-29 | 2020-09-29 | 2020-08-29 | 2020-07-29 | 2020-06-29 | 2020-05-29 | 2020-04-29 | 2020-03-29 | 2020-02-29 | 2020-01-29 | 2019-12-29 | 2019-11-29 | 2019-10-29 | 2019-09-29 | 2019-08-29 | 2019-07-29 | 2019-06-29 | 2019-05-29 | 2019-04-29 | 2019-03-29 | 2019-02-28 | 2019-01-28 | 2018-12-28 | 2018-11-28 | 2018-10-28 | 2018-09-28 | 2018-08-28 | 2018-07-28 | 2018-06-28 | 2018-05-28 | 2018-04-28 | 2018-03-28 | 2018-02-28 | 2018-01-28 | 2017-12-28 | 2017-11-28 | 2017-10-28 | 2017-09-28 | 2017-08-28 | 2017-07-28 | 2017-06-28 | 2017-05-28 | 2017-04-28 | 2017-03-28 | 2017-02-28 | 2017-01-28 | 2016-12-28 | 2016-11-28 | 2016-10-28 | 2016-09-28 | 2016-08-28 | 2016-07-28 | 2016-06-28 | 2016-05-28 | 2016-04-28 | 2016-03-28 | 2016-02-28 | 2016-01-28 | 2015-12-28 | 2015-11-28 | 2015-10-28 | 2015-09-28 | 2015-08-28 | 2015-07-28 | 2015-06-28 | 2015-05-28 | 2015-04-28 | 2015-03-28 | 2015-02-28 | 2015-01-28 | 2014-12-28 | 2014-11-28 | 2014-10-28 | 2014-09-28 | 2014-08-28 | 2014-07-28 | 2014-06-28 | 2014-05-28 | 2014-04-28 | 2014-03-28 | 2014-02-28 | 2014-01-28 | 2013-12-28 | 2013-11-28 | 2013-10-28 | 2013-09-28 | 2013-08-28 | 2013-07-28 | 2013-06-28 | 2013-05-28 | 2013-04-28 | 2013-03-28 | 2013-02-28 | 2013-01-28 | 2012-12-28 | 2012-11-28 | 2012-10-28 | 2012-09-28 | 2012-08-28 | 2012-07-28 | 2012-06-28 | 2012-05-28 | 2012-04-28 | 2012-03-28 | 2012-02-28 | 2012-01-28 | 2011-12-28 | 2011-11-28 | 2011-10-28 | 2011-09-28 | 2011-08-28 | 2011-07-28 | 2011-06-28 | 2011-05-28 | 2011-04-28 | 2011-03-28 | 2011-02-28 | 2011-01-28 | 2010-12-28 | 2010-11-28 | 2010-10-28 | 2010-09-28 | 2010-08-28 | 2010-07-28 | 2010-06-28 | 2010-05-28 | 2010-04-28 | 2010-03-28 | 2010-02-28 | 2010-01-28 | 2009-12-28 | 2009-11-28 | 2009-10-28 | 2009-09-28 | 2009-08-28 | 2009-07-28 | 2009-06-28 | 2009-05-28 | 2009-04-28 | 2009-03-28 | 2009-02-28 | 2009-01-28 | 2008-12-28 | 2008-11-28 | 2008-10-28 | 2008-09-28 | 2008-08-28 | 2008-07-28 | 2008-06-28 | 2008-05-28 | 2008-04-28 | 2008-03-28 | 2008-02-28 | 2008-01-28 | 2007-12-28 | 2007-11-28 | 2007-10-28 | 2007-09-28 | 2007-08-28 | 2007-07-28 | 2007-06-28 | 2007-05-28 | 2007-04-28 | 2007-03-28 | 2007-02-28 | 2007-01-28 | 2006-12-28 | 2006-11-28 | 2006-10-28 | 2006-09-28 | 2006-08-28 | 2006-07-28 | 2006-06-28 | 2006-05-28 | 2006-04-28 | 2006-03-28 | 2006-02-28 | 2006-01-28 | 2005-12-28 | 2005-11-28 | 2005-10-28 | 2005-09-28 | 2005-08-28 | 2005-07-28 | 2005-06-28 | 2005-05-28 | 2005-04-28 | 2005-03-28 | 2005-02-28 | 2005-01-28 | 2004-12-28 | 2004-11-28 | 2004-10-28 | 2004-09-28 | 2004-08-28 | 2004-07-28 | 2004-06-28 | 2004-05-28 | 2004-04-28 | 2004-03-28 | 2004-02-28 | 2004-01-28 | 2003-12-28 | 2003-11-28 | 2003-10-28 | 2003-09-28 | 2003-08-28 | 2003-07-28 | 2003-06-28 | 2003-05-28 | 2003-04-28 | 2003-03-28 | 2003-02-28 | 2003-01-28 | 2002-12-28 | 2002-11-28 | 2002-10-28 | 2002-09-28 | 2002-08-28 | 2002-07-28 | 2002-06-28 | 2002-05-28 | 2002-04-28 | 2002-03-28 | 2002-02-28 | 2002-01-28 | 2001-12-28 | 2001-11-28 | 2001-10-28 | 2001-09-28 | 2001-08-28 | 2001-07-28 | 2001-06-28 | 2001-05-28 | 2001-04-28 | 2001-03-28 | 2001-02-28 | 2001-01-28 | 2000-12-28 | 2000-11-28 | 2000-10-28 | 2000-09-28 | 2000-08-28 | 2000-07-28 | 2000-06-28 | 2000-05-28 | 2000-04-28 | 2000-03-28 | 2000-02-28 | 2000-01-28 | 1999-12-28

Key: Value:

Key: Value:

MESSAGE
DATE 2014-04-09
FROM Ruben Safir
SUBJECT Subject: [NYLXS - HANGOUT] openssl patches
From owner-hangout-outgoing-at-mrbrklyn.com Wed Apr 9 21:17:15 2014
Return-Path:
X-Original-To: archive-at-mrbrklyn.com
Delivered-To: archive-at-mrbrklyn.com
Received: by mrbrklyn.com (Postfix)
id A141416115B; Wed, 9 Apr 2014 21:17:14 -0400 (EDT)
Delivered-To: hangout-outgoing-at-mrbrklyn.com
Received: by mrbrklyn.com (Postfix, from userid 28)
id 8C54616115D; Wed, 9 Apr 2014 21:17:14 -0400 (EDT)
Delivered-To: hangout-at-nylxs.com
Received: from mailbackend.panix.com (mailbackend.panix.com [166.84.1.89])
by mrbrklyn.com (Postfix) with ESMTP id E110F16115B
for ; Wed, 9 Apr 2014 21:17:13 -0400 (EDT)
Received: from [10.0.0.57] (unknown [96.57.23.82])
by mailbackend.panix.com (Postfix) with ESMTP id 337DF2E676
for ; Wed, 9 Apr 2014 21:17:02 -0400 (EDT)
Message-ID: <5345F13B.4030507-at-panix.com>
Date: Wed, 09 Apr 2014 21:17:47 -0400
From: Ruben Safir
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0
MIME-Version: 1.0
To: Hangout
Subject: [NYLXS - HANGOUT] openssl patches
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit
Sender: owner-hangout-at-mrbrklyn.com
Precedence: bulk
Reply-To: hangout-at-mrbrklyn.com

http://www.eweek.com/security/heartbeat-ssl-flaw-puts-linux-distros-at-risk.html/

Home
Security / Heartbeat SSL Flaw Puts
Linux Distros at Risk
right


Heartbeat SSL Flaw Puts Linux Distros at Risk

By Sean Michael Kerner
| Posted 2014-04-08
Email this article Email

Print this article Print


Linux server security


NEWS ANALYSIS: Hours after the flaw's disclosure, many Linux
distributions didn't have a patch. Now that a fix is out, OpenSSL
users should make sure to update their servers.

The Secure Sockets Layer (SSL
) is at the foundation of all
Web based communications, and when security flaws are found, immediate
fixes are required. On April 7, the open-source OpenSSL project issued
an advisory regarding a
critical vulnerability that could potentially leave millions of users at
risk. The flaw?identified as CVE-2014-0160
and
called "TLS heartbeat read overrun"?has been present in OpenSSL since
March 2012, but it was just recently discovered. However, the flaw has
been unofficially dubbed "Heartbleed" by security research firm
Codenomicon, which is the name that has caught on in most subsequent
media reports. "A missing bounds check in the handling of the TLS
[Transport Layer Security] heartbeat extension can be used to reveal up
to 64k of memory to a connected client or server," the OpenSSL advisory
warns.
5 Technology Trends you Need to Follow
Download Now
OpenSSL is an open-source SSL library that is widely used in conjunction
with Web servers and Linux distributions. The flaw was first reported by
Neel Mehta of Google's security team, and the OpenSSL project has issued
a fix with the new OpenSSL 1.0.1g update.
Researchers with security firm Codenomicon also claim to have discovered
the flaw. In a Web page FAQ list on the
Heartbeat flaw, Codenomicon explains that the CVE-2014-0160 bug is in
the OpenSSL's implementation of the TLS/DTLS, or Transport Layer
Security/Datagram Transport Layer Security, heartbeat extension (RFC6520
). "When it is exploited, it leads
to the leak of memory contents from the server to the client and from
the client to the server," Codenomicon states. What that means is that
sessions that were encrypted could be decrypted, thanks to a memory
leak. Going a step further, given that most Web servers use a
single-server key to encrypt SSL, all communications with a vulnerable
server could potentially be at risk. Aside from updating to the new
version of OpenSSL, Web server administrators should also consider
implementing Perfect Forward Secrecy (PFS). PFS is a technique that
creates a new unique session key for each encrypted session that would
limit the risk of retrospective decryption. (A recent eSeminars Live
event offers
insight on PFS). The other big issue with the Heartbeat flaw is how the
bug was actually disclosed. Yes, the OpenSSL project only released its
advisory after it had a fix, which is a good idea; however OpenSSL use
is much wider than just the OpenSSL project. Each individual Linux
distribution has its own packaged version of OpenSSL that needs to be
updated, as well. I contacted Red Hat late in the afternoon on April 7,
and at the time, they were aware of the issue but did not yet have a
patch available for users. At 11 p.m., I received an email from Red
Hat's Fedora project notifying me that new OpenSSL packages were
available to fix the flaw. Red Hat Enterprise Linux users got access to
the patch early on
April 8. While Red Hat and other Linux vendors did not have patches
immediately available when the OpenSSL advisory was released, cloud
security vendor CloudFlare did. In a blog post
,
CloudFlare claims to have fixed the CVE-2014-0160 flaw before it became
public. "As one of the largest deployments of OpenSSL on the Internet
today, CloudFlare has a responsibility to be vigilant about fixing these
types of bugs before they go public and attackers start exploiting them
and putting our customers at risk," CloudFlare blogged. It is unclear
how CloudFlare was able to get access to the flaw information before a
big Linux vendor like Red Hat. A proper responsible bug disclosure
process should have included all stakeholders so that all affected
parties could issue a fix at the same time. With the CVE-2014-0160 flaw,
there was a small window of exposure from the time the OpenSSL project
issued its advisory and CloudFlare blogged on the issue, until Linux
projects had patches available for users. That's just not right and
could have put millions of people at unnecessary risk. In any event, it
is incumbent on all OpenSSL users to immediately make sure that they are
not at risk today and have updated their servers. /Sean Michael Kerner
is a senior editor at /eWEEK/and /InternetNews.com./Follow him on
Twitter -at-TechJournalist/. /Editor's Note: This story has been updated to
include the "Heartbleed" unofficial name for the "TLS heartbeat read
overrun" flaw reported by the OpenSSL Project./

  1. 2014-04-01 Ruben <mrbrklyn-at-panix.com> Subject: [NYLXS - HANGOUT] wonders of okcupid
  2. 2014-04-03 Ruben Safir <mrbrklyn-at-panix.com> Subject: [NYLXS - HANGOUT] Urgent
  3. 2014-04-05 Ruben Safir <mrbrklyn-at-panix.com> Re: [NYLXS - HANGOUT] Urgent
  4. 2014-04-05 Ruben Safir <mrbrklyn-at-panix.com> Re: [NYLXS - HANGOUT] Urgent
  5. 2014-04-05 Ron Guerin <ron-at-vnetworx.net> Re: [NYLXS - HANGOUT] [ruben-at-mrbrklyn.com: [caroleheadsup-at-caroleking.com:
  6. 2014-04-05 Ruben Safir <mrbrklyn-at-panix.com> Re: [NYLXS - HANGOUT] [ruben-at-mrbrklyn.com: [caroleheadsup-at-caroleking.com:
  7. 2014-04-05 Ruben Safir <mrbrklyn-at-panix.com> Re: [NYLXS - HANGOUT] [ruben-at-mrbrklyn.com: [caroleheadsup-at-caroleking.com:
  8. 2014-04-05 Ron Guerin <ron-at-vnetworx.net> Re: [NYLXS - HANGOUT] [ruben-at-mrbrklyn.com: [caroleheadsup-at-caroleking.com:
  9. 2014-04-06 Elfen Magix <elfen_magix-at-yahoo.com> Re: [NYLXS - HANGOUT] Urgent
  10. 2014-04-08 Kevin Mark <kevin.mark-at-verizon.net> Re: [NYLXS - HANGOUT] Urgent
  11. 2014-04-08 Ron Guerin <ron-at-vnetworx.net> Re: [NYLXS - HANGOUT] Urgent
  12. 2014-04-08 Ruben Safir <mrbrklyn-at-panix.com> Subject: [NYLXS - HANGOUT] Taliban
  13. 2014-04-08 Ruben Safir <mrbrklyn-at-panix.com> Re: [NYLXS - HANGOUT] Urgent
  14. 2014-04-08 Ruben Safir <mrbrklyn-at-panix.com> Re: [NYLXS - HANGOUT] Urgent
  15. 2014-04-08 Ron Guerin <ron-at-vnetworx.net> Re: [NYLXS - HANGOUT] Urgent
  16. 2014-04-08 Ruben Safir <mrbrklyn-at-panix.com> Subject: [NYLXS - HANGOUT] openssl security hole
  17. 2014-04-09 Ruben Safir <mrbrklyn-at-panix.com> Re: [NYLXS - HANGOUT] Urgent
  18. 2014-04-09 eminker-at-gmail.com Re: [NYLXS - HANGOUT] Urgent
  19. 2014-04-09 eminker-at-gmail.com Re: [NYLXS - HANGOUT] Urgent
  20. 2014-04-09 Ruben Safir <mrbrklyn-at-panix.com> Subject: [NYLXS - HANGOUT] Fwd: [Israel.pm] Seeking an IT manager
  21. 2014-04-09 Ruben Safir <mrbrklyn-at-panix.com> Subject: [NYLXS - HANGOUT] openssl patches
  22. 2014-04-09 From: "Michael L. Richardson" <mlr52-at-michaellrichardson.com> Subject: [NYLXS - HANGOUT] From Michael
  23. 2014-04-09 From: "Michael L. Richardson" <mlr52-at-michaellrichardson.com> Subject: [NYLXS - HANGOUT] From Michael
  24. 2014-04-09 Ron Guerin <ron-at-vnetworx.net> Re: [NYLXS - HANGOUT] openssl patches
  25. 2014-04-09 Ron Guerin <ron-at-vnetworx.net> Re: [NYLXS - HANGOUT] From Michael
  26. 2014-04-10 Ruben Safir <mrbrklyn-at-panix.com> Subject: [NYLXS - HANGOUT] cctv dvr routing
  27. 2014-04-10 Ruben Safir <mrbrklyn-at-panix.com> Re: [NYLXS - HANGOUT] cctv dvr routing
  28. 2014-04-11 Contrarian <adrba-at-nyct.net> Subject: [NYLXS - HANGOUT] replacement for Mozilla?
  29. 2014-04-11 Ron Guerin <ron-at-vnetworx.net> Re: [NYLXS - HANGOUT] replacement for Mozilla?
  30. 2014-04-13 Ruben Safir <mrbrklyn-at-panix.com> Subject: [NYLXS - HANGOUT] gnu/cash
  31. 2014-04-16 Ruben Safir <mrbrklyn-at-panix.com> Subject: [NYLXS - HANGOUT] MIT Classes
  32. 2014-04-16 Ruben Safir <mrbrklyn-at-panix.com> Subject: [NYLXS - HANGOUT] the best of 21st century customer service
  33. 2014-04-17 Ruben Safir <mrbrklyn-at-panix.com> Subject: [NYLXS - HANGOUT] Shani is Engaged
  34. 2014-04-17 From: "Paul Robert Marino" <prmarino1-at-gmail.com> Re: [NYLXS - HANGOUT] Shani is Engaged
  35. 2014-04-17 From: "Paul Robert Marino" <prmarino1-at-gmail.com> Re: [NYLXS - HANGOUT] Shani is Engaged
  36. 2014-04-17 eminker-at-gmail.com Re: [NYLXS - HANGOUT] Shani is Engaged
  37. 2014-04-17 eminker-at-gmail.com Re: [NYLXS - HANGOUT] Shani is Engaged
  38. 2014-04-18 Ruben Safir <mrbrklyn-at-panix.com> Re: [NYLXS - HANGOUT] Shani is Engaged
  39. 2014-04-18 Ruben Safir <mrbrklyn-at-panix.com> Re: [NYLXS - HANGOUT] Shani is Engaged
  40. 2014-04-18 eminker-at-gmail.com Re: [NYLXS - HANGOUT] Shani is Engaged
  41. 2014-04-18 eminker-at-gmail.com Re: [NYLXS - HANGOUT] Shani is Engaged
  42. 2014-04-18 Ruben Safir <mrbrklyn-at-panix.com> Re: [NYLXS - HANGOUT] Shani is Engaged
  43. 2014-04-18 Ruben Safir <mrbrklyn-at-panix.com> Re: [NYLXS - HANGOUT] Shani is Engaged
  44. 2014-04-18 Ron Guerin <ron-at-vnetworx.net> Re: [NYLXS - HANGOUT] Shani is Engaged
  45. 2014-04-21 Elfen Magix <elfen_magix-at-yahoo.com> Subject: [NYLXS - HANGOUT] Medical Update 042114
  46. 2014-04-23 Ruben Safir <mrbrklyn-at-panix.com> Subject: [NYLXS - HANGOUT] just for fun
  47. 2014-04-25 Ruben <mrbrklyn-at-panix.com> Subject: [NYLXS - HANGOUT] Net Nuetrality
  48. 2014-04-25 Robert Menes <viewtiful.icchan-at-gmail.com> Re: [NYLXS - HANGOUT] Net Nuetrality
  49. 2014-04-25 Ruben Safir <mrbrklyn-at-panix.com> Subject: [NYLXS - HANGOUT] Si Ling Schekels
  50. 2014-04-27 From: "Paul Robert Marino" <prmarino1-at-gmail.com> Re: [NYLXS - HANGOUT] Net Nuetrality
  51. 2014-04-28 Ruben Safir <mrbrklyn-at-panix.com> Re: [NYLXS - HANGOUT] Net Nuetrality
  52. 2014-04-28 Ruben Safir <mrbrklyn-at-panix.com> Re: [NYLXS - HANGOUT] Net Nuetrality
  53. 2014-04-28 Ruben Safir <mrbrklyn-at-panix.com> Subject: [NYLXS - HANGOUT] [groups-noreply-at-linkedin.com: How Do I Get Into Pharmacy IT or
  54. 2014-04-28 Ruben Safir <mrbrklyn-at-panix.com> Subject: [NYLXS - HANGOUT] NYLXS publishing possibility
  55. 2014-04-29 Ruben Safir <mrbrklyn-at-panix.com> Subject: [NYLXS - HANGOUT] Net Neutrality
  56. 2014-04-29 Ruben Safir <mrbrklyn-at-panix.com> Subject: [NYLXS - HANGOUT] government for sale
  57. 2014-04-29 Ruben Safir <mrbrklyn-at-panix.com> Subject: [NYLXS - HANGOUT] Duck Duck Go Plugins
  58. 2014-04-29 Ruben Safir <mrbrklyn-at-panix.com> Subject: [NYLXS - HANGOUT] Open Sourced Healthcare
  59. 2014-04-29 Ruben Safir <mrbrklyn-at-panix.com> Subject: [NYLXS - HANGOUT] The Slashdot Generation ... coming to an end
  60. 2014-04-30 Ruben Safir <mrbrklyn-at-panix.com> Subject: [NYLXS - HANGOUT] Fwd: Net neutrality emergency

NYLXS are Do'ers and the first step of Doing is Joining! Join NYLXS and make a difference in your community today!