Trusted CI Blog: Serious OpenSSL 1.0.1 "Heartbleed" Bug

Tuesday, April 8, 2014

Serious OpenSSL 1.0.1 "Heartbleed" Bug

On Monday, April 7, 2014, the OpenSSL project announced the existence of a serious bug in OpenSSL 1.0.1 through 1.0.1f with the potential of leaking private keys and other sensitive information from affected SSL/TLS clients and servers. The bug is in the implementation of the TLS/DTLS heartbeat extension (RFC 6520) and therefore has been called the "Heartbleed Bug".

Administrators of systems running OpenSSL 1.0.1 through 1.0.1f should promptly install the vendor fix for their operating system (when available). Administrators of impacted HTTPS servers should obtain a new HTTPS certificate using a newly generated private key, after installing the OpenSSL fix, as the existing HTTPS private key is now suspected to be compromised due to this OpenSSL bug.

References:

https://www.openssl.org/news/secadv_20140407.txt
http://heartbleed.com/
http://www.kb.cert.org/vuls/id/720951
https://lists.incommon.org/sympa/arc/inc-ops-notifications/2014-04/msg00000.html