A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.
Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediatelyupgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
This bug was largely fixed a week ago, when it was originally made public by CloudFlare, after being discovered by a few folks over at Codenomicon.
For users who are worried about their personal information, the best practice is to change your passwords. However, before running off and changing all of your passwords, make sure that the site in question has patched the issue, or else you are just changing your password on a system which is still vulnerable. Instead, I suggest heading over to Mashable's article, where they list the systems which are affected, and if you should change your password or not. They also leave a little note, so you can better understand the state of that particular site.
This is a valuable blog for any web developer, I know I will visit your blog often.
ReplyDelete