I'm guessing I'm not the only one that was up late patching systems to mitigate this security disaster. :( I've been thinking through all of the various vulnerabilities we've seen in my career, and I'm not sure I can think of one that is as potentially damaging as this one is. For those that haven't heard, the Heartbleed[1] OpenSSL bug was announced yesterday. In short, it's a bug in the TLS heartbeat functionality that allows any party to remotely read any accessible memory contents in the affected systems. Meaning that your private keys, session keys, etc. have all potentially been compromised. So, if you're running a linux server with an application that uses TLS and you have OpenSSL versions 1.0.1 = 1.0.1f, you're vulnerable and need to respond appropriately: patch openssl and libssl, regenerate private keys, get new SSL certs issued/installed, etc. It's been a fun 18 hours. :) -Erik [1]: http://heartbleed.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mailman.mn-linux.org/pipermail/tclug-list/attachments/20140408/b3e09fc5/attachment.html>