A serious security bug... caused by no bounds checking.
Nick Sabalausky
SeeWebsiteToContactMe at semitwist.com
Tue Apr 8 19:00:45 PDT 2014
On 4/8/2014 8:50 PM, Steven Schveighoffer wrote:
> On Mon, 07 Apr 2014 21:36:28 -0400, Nick Sabalausky
> <SeeWebsiteToContactMe at semitwist.com> wrote:
>>
>> Whelp, time for that server system upgrade I've been putting off for
>> far too long...
>>
>
> In theory, patching openSSL doesn't solve the problem, because someone
> could have previously used the vulnerability to get your private key.
>
> So technically you need to also get a new cert. This is what my
> password-generation vendor (lastpass.com) is recommending:
>
> 1. Generate a new password for your most critical sites.
> 2. But only after they get a cert dated after today!
>
> I don't think many people understand this aspect.
>
> Hopefully, this vulnerability was not known by hackers before it was
> announced. Even if it was, there is quite a window of opportunity for
> them as the patched sites roll out.
>
Very good point.
Luckily for me (and yet, simultaneously embarrassing), my server's
version of openssl turned out not to be affected. Which is nice since I
*just* paid for a new cert about one week ago.
More information about the Digitalmars-d
mailing list