Monday, 14 April 2014

HeartBleed (CVE-2014-0160)

There seems to be a lot of mis-information at the moment and many pundits are suggesting that everyone should change their passwords NOW! Even stranger, they have even designed their own logo for the bug??

I would urge caution and say it is more sensible to wait and to see who is vulnerable, and when they applied the patch(es). Then, and only then would I suggest changing your passwords.

The fact is that if you have kept your AIX system up to date you are unlikely to have an old version of OpenSSL, and so not vulnerable to this particular exploit, however curiously there are reports that the latest versions are affected?

What we do know so far is that the following versions are NOT vulnerable:

OpenSSL 0.9.8
OpenSSL 1.0.0
OpenSSL 1.0.1g

Versions of OpenSSL 1.0.1 to 1.0.1f (inclusive) are vulnerable

A few days ago IBM issued a security advisory that can be accessed here:

No comments:

Post a Comment