[liberationtech] OpenSSL Heartbleed Vulnerability Patched
Julian Oliver
julian at julianoliver.com
Tue Apr 8 16:56:13 PDT 2014
..on Tue, Apr 08, 2014 at 04:23:21PM -0700, Yosem Companys wrote:
> From: Todd Greene <todd at pubnub.com>
>
> There has been a lot of news in the past 24 hours regarding the
> Heartbleed Bug (CVE-2014-0160) as reported by the OpenSSL project. If you
> are not aware of the situation, the Heartbleed Bug is a serious
> vulnerability in the popular OpenSSL cryptographic software library. The
> bug allows anyone on the Internet to read the memory of the systems
> protected by the vulnerable versions of the OpenSSL software.
>
> We take security and privacy of customer data very seriously at PubNub.
> To this end, I would like to let you know personally that as of 12:00am
> Pacific this morning, we have applied the patch released by the OpenSSL
> project to all of PubNub's machines and services. No further action is
> required by PubNub's customers to address this vulnerability.
Perhaps you don't understand the scale of the problem. Please correct me if
wrong.
Revoking and regenerating the certs and keys, restarting services, is only the
beginning. Your users need to be told to generate new passwords. This exploit
has been in the wild for ~2yrs; any silently and previously compromised account
will be no less vulnerable post patch.
This is the long-tail of Heartbleed.
Cheers,
--
Julian Oliver
http://julianoliver.com
http://criticalengineering.org
PGP key: https://julianoliver.com/key.asc
Beware the auto-complete life.
More information about the liberationtech
mailing list