Friday, April 11, 2014

Pretty Cool.

The Internet Bug Bounty rewarded @neelmehta with a $15,000 bounty for the TSL heartbeat read oversrun, aka HeartBleed.

And then @neelmehta donated the reward to the Freedom of the Press Foundation.

Very Cool!


#6626 CVE-2014-0160

TLS heartbeat read overrun

Someone reported a bug to OpenSSL.
A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley and Bodo Moeller for preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.;a=commitdiff;h=96db9023b881d7cd9f379b0c154650d6c108e9a3

No comments:

Post a Comment