14/04/08 12:47:07.86 TvXgyp6E0.net
TLB heartbeatを無効にせずにビルドしているサーバー、クライアント共に64KBまでのメモリが
リークされるみたいだけど、イマイチ影響範囲がよくわからんな。しかし、Googleはこの手の
バグをよく見つけるな。
OpenSSL vulnerabilities
This page lists all security vulnerabilities fixed in released versions of OpenSSL since 0.9.6a was released on 5th April 2001.
2014
CVE-2014-0160: 7th April 2014
A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64kB of memory to a connected client or server. This issue did not affect versions of OpenSSL prior to 1.0.1. Reported by Neel Mehta.
Fixed in OpenSSL 1.0.1g (Affected 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)