Heartbleed

From: "Robert A. Kelly III" 
------------------------------------------------------
If I understand this correctly, running a vulnerable version of OpenSSL
means that anything that might have been in memory on your computer
could have been compromised, including passwords for services that were
not otherwise affected, OpenPGP encryption keys, etc. Am I right about this?

=============================================================== From: William Roush ------------------------------------------------------ Pretty much literally this: http://xkcd.com/1354/ William Roush william.roush@roushtech.net 423-463-0592 http://www.roushtech.net/blog/

=============================================================== From: Dan Lyke ------------------------------------------------------ On Fri, Apr 11, 2014 at 4:13 PM, Robert A. Kelly III wrote: I believe that although this may be strictly true, it's very unlikely. It's much more likely that the bled data was largely stuff related to OpenSSL specifically, like web passwords, private key data, that sort of thing. Dan

=============================================================== From: "Robert A. Kelly III" ------------------------------------------------------ Which applications might be vulnerable to heartbleed? I think OpenSSH, Pine, Sendmail, W3M, and Lynx may all potentially be vulnerable since they all use OpenSSL. I'm guessing that if you run an OpenSSH server on your home machine you should probably change all passwords and generate new keys, etc.

=============================================================== From: William Roush ------------------------------------------------------ OpenSSH only uses OpenSSL for key management, it doesn't leverage the heartbeat feature. William Roush william.roush@roushtech.net 423-463-0592 http://www.roushtech.net/blog/

=============================================================== From: "Robert A. Kelly III" ------------------------------------------------------ Ok, so OpenSSH was not vulnerable then. Does anyone have a list of applications known to be vulnerable?

=============================================================== From: David White ------------------------------------------------------ That's going to be a long list. Just saying. Examples / Ones I'm paying close attention to include *pfSense* - https://blog.pfsense.org/?p=1253 *WatchGuard* - http://watchguardsecuritycenter.com/2014/04/08/the-heartbleed-openssl-vulnerability-patch-openssl-asap/ *Cisco* - http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed *SonicWALL* - I don't know of an actual service bulletin or anything, but I did talk to a guy on the phone recently. Blogged about it at http://developcents.com/blog/04082014-0810/heartbleed-what-it-means-nonprofit-organizations : - This is what I wrote: "In a phone call I received today from a SonicWALL engineer, I learned that although Dell's SonicWALL firewall (their NSA) appliances are not affected, their SSL VPN (SRA) appliances ARE affected. "The SonicOS Enhanced 5.8 version, as well as the 5.9 version, are not affected by Heartbleed," he said. "The only Firewall software that WAS affected was an OS update that was still in pre-release beta not available to the general public." The engineer went on to assure me that Dell was working on a public Knowledge Base article that would be published shortly." *CentOS / Red Hat* - https://rhn.redhat.com/errata/RHSA-2014-0376.html

=============================================================== From: David White ------------------------------------------------------ (Granted, that's probably not exactly what you had in mind when you said "applications", but all of these are pieces of software that incorporate / use OpenSSL, and are affected)

=============================================================== From: "Robert A. Kelly III" ------------------------------------------------------ What about web browsers and email clients? Off the top of my head, I think Mozilla would not be vulnerable because they use their own NSS instead of OpenSSL libraries. But are there others that use OpenSSL that may be vulnerable? I saw some mention of Lynx and Pine using OpenSSL at some point, but I don't know if they are using it in default configurations now.