[Slackbuilds-users] Cauterizing heartbleed (CVE-2014-0160)

Vincent Batts vbatts at gmail.com
Sat Apr 12 11:05:30 UTC 2014


Haha. I should read all new messages first. <3
On Apr 12, 2014 3:06 AM, "mancha" <mancha1 at hush.com> wrote:

> B Watson <yalhcru at ...> writes:
> > On 4/12/14, mancha <mancha1 at ...> wrote:
> > > After identifying candidates, we can worry about whether the bundled
> > > or statically-linked OpenSSLs are vulnerable or not.
> >
> > Possibly stupid question but I'll ask it anyway. Are clients even
> > vulnerable?  Everything I've seen about heartbleed (and I haven't
> > really researched in detail either) talks about attacks against
> > vulnerable servers... is it possible for a malicious server to exploit
> > an unpatched client?
> >
>
> Heartbeats are basically pings for [D]TLS and they can originate at
> either the client or server. So, yes, clients are "heartbleedable".
>
> In fact, you can use this python script to set up a listener and point
> your favorite OpenSSL-linked clients (e.g. wget, curl, etc.) at it:
>
> https://github.com/Lekensteyn/pacemaker
>
> --mancha
>
> _______________________________________________
> SlackBuilds-users mailing list
> SlackBuilds-users at slackbuilds.org
> http://lists.slackbuilds.org/mailman/listinfo/slackbuilds-users
> Archives - http://lists.slackbuilds.org/pipermail/slackbuilds-users/
> FAQ - http://slackbuilds.org/faq/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.slackbuilds.org/pipermail/slackbuilds-users/attachments/20140412/92344998/attachment.html>


More information about the SlackBuilds-users mailing list