Thanks. I'm not sure I understand that code, so I'll have to read up on network analysis 101.

In a purely abstract sense though, wouldn't we have to have a way to detect client packets that declare length of x to be greater than actual length of x, where x is whatever keep alive data that is responsible for the heartbeat?

Hi. I was checking this out the other day. If you type:

openssl version

into the terminal (that's in normal terminal, not root). It will tell you which version you have, which I have found tends to be the non-updated one. BUT - if you type

openssl version -b

It will tell you the date it was fixed. So although your version might not have been replaced with the 'g' version it has been patched. If the date is 7 April or after, it is safe.

I have tried this on both debian and xubuntu. Debian upgraded to 'f' so still the vulnerable version, but showed latest update fix as 14 April. Xubuntu still shows the old version with a fix date of 7 April.

My question now is - do I need to change my password on this site?!!! Apart from checking out my 'buntu' distros I have changed passwords on sites supposed to be affected - ie google/gmail, godaddy and various others. I now have so many new passwords I need a special notebook! So would be grateful if someone could let me/us known - is this site affected? If not, no need to change passwords. If it did use openssl, has it been patched so we need to change passwords after patch date. Thanks!

And a thought - I'm a great one for conspiracy theories! So - the openssl problem affected just about everyone (including Google and Linux) except Microsoft and the banks - hmm!

Hmm, Google wasn't affected (from what I know)... And some banks we're affected...

Now, regarding the changing password from this site.. This forum doesn't use SSL for logins.. That means your password is always unsecure here and should not be the same as one used in you e-mail account or bank password

Cheers! I have a different password on here. No need to change it then! I read a list, somewhere, that those affected included GMail and Google, plus Facebook. Anyway, one less password to change!

Pretty much the only sites you need to worry about at the https sites (not http).

You can use http://filippo.io/Heartbleed or https://lastpass.com/heartbleed to test whether a site may be vulnerable (that may is important) and you, again, may get different answers from each. The first reports
the second reports
Hm.

As noted by @Smokey_justme above, LinuxQuestions.org doesn't use SSL for log in.

Basically, you need to update your system(s) to openssl-1.0.1g (or higher) and, if your distribution uses openssl-solibs-1.0.1g (or higher), too. You need to reboot after applying the update and you need to revoke and regenerate your public/private SSL keys and certificates (if any). This is CYA stuff.

This has nothing to do with SSH, you don't need to worry about that (yet?).

For secure sites you use (banks, credit card issuers, etc.), you'll want to check the site with one or both of the tools listed above and decide for yourself about changing the passwords on those sites.

And, what the heck, you ought to periodically change passwords in any event, eh?

Hope this helps some.

hmmm, most big orgs have change freezes around times like this. no patching, no new software, etc etc. when i worked at MBUSA they had a strict small yearly window to get things done in the environment, after that it was locked to anything new (less patches and what not, but very very tight on changes, etc). there should be a ISO that defines the dates when new code cannot be released, etc.

not really.... anything that loads the problem libraries under a listening port is a problem, not just HTTP+SSL, etc.