A serious security bug... caused by no bounds checking.
Steven Schveighoffer
schveiguy at yahoo.com
Tue Apr 8 17:50:08 PDT 2014
On Mon, 07 Apr 2014 21:36:28 -0400, Nick Sabalausky
<SeeWebsiteToContactMe at semitwist.com> wrote:
> On 4/7/2014 7:28 PM, w0rp wrote:
>> http://heartbleed.com/
>>
>> This bug has been getting around. The bug was caused by missing bounds
>> checking.
>>
>> I'm glad to be using a language with bounds checking.
>
> Whelp, time for that server system upgrade I've been putting off for far
> too long...
>
In theory, patching openSSL doesn't solve the problem, because someone
could have previously used the vulnerability to get your private key.
So technically you need to also get a new cert. This is what my
password-generation vendor (lastpass.com) is recommending:
1. Generate a new password for your most critical sites.
2. But only after they get a cert dated after today!
I don't think many people understand this aspect.
Hopefully, this vulnerability was not known by hackers before it was
announced. Even if it was, there is quite a window of opportunity for them
as the patched sites roll out.
-Steve
More information about the Digitalmars-d
mailing list