Re: [FD] heartbleed OpenSSL bug CVE-2014-0160

[Brandon Perry <bperry.volatile@xxxxxxxxx>]

I have seen people pull private keys off of FreeBSD 9.1 machines.

https://twitter.com/1njected/status/453797877672706048


On Wed, Apr 9, 2014 at 2:52 PM, Jeremy Voorhis <jvoorhis@xxxxxxxxx> wrote:

> I just read an article titled "Why heartbleed doesn't leak the private key"
> and the claim seems irresponsible and overly broad. Can anyone comment on
> his analysis?
>
>
> http://blog.erratasec.com/2014/04/why-heartbleed-doesnt-leak-private-key.html#.U0WjNK1dWBg
>
>
> On Mon, Apr 7, 2014 at 5:10 PM, Kirils Solovjovs <
> kirils.solovjovs@xxxxxxxxxx> wrote:
>
> > We are doomed.
> >
> > Description: http://www.openssl.org/news/vulnerabilities.html
> > Article dedicated to the bug: http://heartbleed.com/
> > Tool to check if TLS heartbeat extension is supported:
> > http://possible.lv/tools/hb/
> >
> > A missing bounds check in the handling of the TLS heartbeat extension
> > can be used to reveal up to 64kB of memory to a connected client or
> server.
> >
> > 1.0.1[ abcdef] affected.
> >
> >
> > P.S. Happy Monday!
> >
> > _______________________________________________
> > Sent through the Full Disclosure mailing list
> > http://nmap.org/mailman/listinfo/fulldisclosure
> > Web Archives & RSS: http://seclists.org/fulldisclosure/
> >
>
>
>
> --
> Jeremy Voorhis
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>



-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/