From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wi0-x22a.google.com (mail-wi0-x22a.google.com [IPv6:2a00:1450:400c:c05::22a]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 2D2F721F224 for ; Mon, 7 Apr 2014 18:39:03 -0700 (PDT) Received: by mail-wi0-f170.google.com with SMTP id bs8so7118986wib.5 for ; Mon, 07 Apr 2014 18:38:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=DyWgumIZSzBG/EgSsHDMr8dqZKbDISamG/3UrNBnsq4=; b=GUDqLaE/nitRgs7AgqqPbxyhzyGvxhuSmfG62rHnhrZGBTBQ6whXUg5orvrniUruzI 4afatPoHkBiJpZWKq74Bz5DF5wwF/jQtMV+rNm3vYu2e3p6Te2la6mgx8txmVp8nS2H4 uB1y1OgTMZXa9gBCJL/hYDIw8bepPiG8g01uOcheyf7oG5yUaac0uj1uOFljNGsUBkJF 7U3f5+ndHuNr1IRpSn0tdVM1vdKhWAnFoZ6LSUaIk9W66bzKGA6IF7qUJpWTJ73vaQWV cW1M1DIhEP13v5rLBLe4RQjyTWb7J/RvOZ5jPMXwv+Twj+23ehFPIa+Ka5oJbHqVT2N8 GbBg== MIME-Version: 1.0 X-Received: by 10.180.78.225 with SMTP id e1mr20460599wix.17.1396921138563; Mon, 07 Apr 2014 18:38:58 -0700 (PDT) Received: by 10.216.177.10 with HTTP; Mon, 7 Apr 2014 18:38:58 -0700 (PDT) Date: Mon, 7 Apr 2014 18:38:58 -0700 Message-ID: From: Dave Taht To: "cerowrt-devel@lists.bufferbloat.net" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: [Cerowrt-devel] CVE-2014-0160 : heartbleed CVE on openssl - http://heartbleed.com/ X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2014 01:39:04 -0000 This one looks pretty nasty. see http://lwn.net/Articles/593683/ for more details. The headache and cost of updating all the gear I maintain is insanely high. Some of my OSes are so old as to no longer have updates, others have ssl ce= rts that I can now no longer trust for email or imap, still others work on the vpn... and I only have a few dozen machines to fix, personally. On the boxes I can update I see a whole bunch of new certs coming down and it looks like ubuntu 13.10 has an update for sure... (I feel for those with thousands or more services to patch.) In cerowrt's case I cannot easily go back and rebuild a "stable" release, a= nd the vulnerability is limited (with the default package set) to the admin web interface, which is by default limited to the local interfaces... ... and by default we use perfect forward secrecy... ... and an attacker would want to read mips data so the immediate vulnerabilities for cero are small. but if this CVE is bad as it looks, vast chunks of the internet are vulnerable, certs stolen, usernames and passwords exposed, end-sites not trustable, etc, etc. Cryptogeddon. --=20 Dave T=E4ht NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_= indecent.article