April 7, 2014, a security vulnerability was published about the servers using OpenSSL. This flaw was discovered by codenomicon.com and a computer scientist of Google. Some scholars recognize as being the most important flaw discovered since SQL injection.
you will find the details of the vulnerability at the following address: http://heartbleed.com/
- what is it allows?
this flaw allows recovered the key secret of X.509 certificates, name of user and password. X.509 certificates are used for encryption and decryption of the data.
since when does it exist?
it seems that this flaw exists since December, 2011. All versions of OpenSSL are not necessarily affected. Here's a State:
- OpenSSl 1.0.1 to 1.0.1f (included) is vulnerable,
- OpenSSL 1.0.1g is not vulnerable
- OpenSSL 1.0.0 branch is not vulnerable
- OpenSSL 0.9.8 branch is not vulnerable.
How to fix the?
most linux distributions have released a patch. Just do your updates via the package manager. More information can be found on the following links:
- official website of OpenSSL: http://www.openssl.org/news/vulnerabilities.html
- for debian: https://security-tracker.debian.org/tracker/CVE-2014-0160
- for RedHat: http://rhn.redhat.com/errata/RHSA-2014-0376.html
remember it is recommended to regularly update your applications and services, in order to ensure their stability and security.
we also recommend setting up type firewall protection, in order to prevent illicit access to the server.
If you have a benefit shared or managed, you should know that our teams have already made the necessary. our technical support remains at your disposal for any divisional application.
Tags:
Add new comment