I'm guessing I'm not the only one that was up late patching systems to
mitigate this security disaster. :(

I've been thinking through all of the various vulnerabilities we've seen in
my career, and I'm not sure I can think of one that is as potentially
damaging as this one is.

For those that haven't heard, the Heartbleed[1] OpenSSL bug was announced
yesterday. In short, it's a bug in the TLS heartbeat functionality that
allows any party to remotely read any accessible memory contents in the
affected systems. Meaning that your private keys, session keys, etc. have
all potentially been compromised.

So, if you're running a linux server with an application that uses TLS and
you have OpenSSL versions 1.0.1 = 1.0.1f, you're vulnerable and need to
respond appropriately: patch openssl and libssl, regenerate private keys,
get new SSL certs issued/installed, etc. It's been a fun 18 hours. :)

-Erik

[1]: http://heartbleed.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.mn-linux.org/pipermail/tclug-list/attachments/20140408/b3e09fc5/attachment.html>