Last Updated: 2012-04-19 19:41:49 UTC
by Kevin Shortt (Version: 1)
Earlier today, the OpenSSL team released a fix for a recently discovered vulnerability that exposes applications, that use certain features of OpenSSL, to a heap overflow.
Since OpenSSL is used extensively, there is much speculation and discussion about who is vulnerable. Here are some highlights and links of the reading I've done today.
- UPGRADE to the latest version as soon as you can. 
- The SSL/TLS code of OpenSSL is *not* affected. 
Which means, OpenSSH is NOT vulnerable.
- Read a good detailed explanation of the vulnerability by Tavis Ormandy. 
Tavis is credited with discovering the vulnerability.
- If Apache is using PEM for certificates, and not parsing untrusted data, then you risks are lower. 
Feel free to post a comment to discuss anything not spoken for in this diary.
ISC Handler on Duty