1 |
On 11/04/2014 00:55, walt wrote: |
2 |
> On 04/09/2014 05:06 PM, Joseph wrote: |
3 |
>> Is gentoo effected by this new 'Heartbleed' bug? |
4 |
>> |
5 |
>> "The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library...." |
6 |
>> |
7 |
>> http://heartbleed.com/ |
8 |
> |
9 |
> This topic was discussed in my favorite podcast, http://twit.tv/sn |
10 |
> |
11 |
> Steve Gibson explained that the heartbeat feature was introduced in openssl to |
12 |
> allow *UDP* connections to mimic the 'keepalive' function of the TCP protocol. |
13 |
> |
14 |
> IIRC Steve didn't explain how UDP bugs can compromise TCP connections. |
15 |
> |
16 |
> Anyone here really understand the underlying principles? If so, please explain! |
17 |
> |
18 |
> Thanks. |
19 |
> |
20 |
> |
21 |
> |
22 |
> |
23 |
> |
24 |
|
25 |
|
26 |
UDP is not compromising TCP connections. |
27 |
The software bug allows malicious connecting code to determine the |
28 |
contents of memory, which is in use by sshd. How that memory got to be |
29 |
there is irrelevant. |
30 |
|
31 |
There are many lengthy discussions on the internet on how this vuln |
32 |
works. You should read them. |
33 |
|
34 |
-- |
35 |
Alan McKinnon |
36 |
alan.mckinnon@×××××.com |