Friday, April 11, 2014

Pretty Cool.

The Internet Bug Bounty rewarded @neelmehta with a $15,000 bounty for the TSL heartbeat read oversrun, aka HeartBleed.

And then @neelmehta donated the reward to the Freedom of the Press Foundation.

Very Cool!

-------------------------------------------------

#6626 CVE-2014-0160

TLS heartbeat read overrun

Someone reported a bug to OpenSSL.
A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley agl@chromium.org and Bodo Moeller bmoeller@acm.org for preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.

http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=96db9023b881d7cd9f379b0c154650d6c108e9a3

No comments:

Post a Comment