21 April 2014

The Ruby Reflector

Topic

OpenSSL

  Source Favicon
Email

OpenSSL library as long as it is linked dynamically. It is highly recommended to dynamically link OpenSSL exactly to take care of such security issues with a single library update and not wait for separate security updates for multiple software packages. Note that updating the library is not enough - you need to restart the service in order for the new library to be loaded. In most cases, I recommend a full system restart as the simplest way to guaranty that all processes using the library have …

mysqlperformanceblog.com Read
  Source Favicon
By Shaun Gordon of New Relic 9 days ago.
Email

This week there has been a lot of news about the Heartbleed (CVE-2014-0160) vulnerability in OpenSSL, which could potentially leak memory contents — including personal information and even a site's cryptographic keys.

As sites and services across the Internet scramble to update their security and implement patches, we wanted to update New Relic users on how the situation affects them.

You can read our full documentation on the issue here ( Security for Heartbleed Vulnerability …

newrelic.com Read
  Source Favicon
By Karen Gillison of On the Path 9 days ago.
Email

Heartbleed. We conducted a comprehensive security review in response to this critical vulnerability in OpenSSL's handling of heartbeat packets.

We're pleased to report that none of our client production server environments were affected. We've deliberately chosen a platform with more stringent criteria for accepting software changes into the operating system, and as a result none of our servers were secured with a version of OpenSSL that suffered from this vulnerability. This …

blog.codesherpas.com Read
  Source Favicon
By Joey of Global Nerdy 10 days ago.
Email

…recipes to actually make the protocols work. Think of the protocols as the formulas, and software like OpenSSL as a sort of "decoder ring" that follows those formulas to encrypt and decrypt data. OpenSSL is one of the more popular decoder rings out there, as it's available free of charge and it's open source , meaning that anyone can examine its underlying code to see how it works, and ideally, find flaws and make improvements.

If you use a mobile phone or participate …

globalnerdy.com Read
  Source Favicon
By Stephen Delano of Chef Blog 10 days ago.
Email

…secure connection. In this case, that secure connection was provided by HTTPS using the OpenSSL library. Just like any other sensitive information in your Chef infrastructure, it is possible that this data was compromised by the Heartbleed bug. Since the private key is only transferred once, the chances of this information leaking is much lower than other objects, but that chance is still non-zero.

Heartbled Client

Another scenario in which the Heartbleed bug could potentially …

opscode.com Read
  Source Favicon
By Nathan Smith of Chef Blog 11 days ago.
Email

About the OpenSSL Update

OpenSSL was updated to 1.0.1g to address The Heartbleed Bug . Management Console was not directly affected by this bug (it runs behind Enterprise Chef's Nginx) but we've updated the dependency on OpenSSL as a precaution.

When running this release of the Manage Add-on you should also be running at least Enterprise Chef 11.1.3 and have follow the instructions to regenerate your SSL certificates linked …

opscode.com Read
  Source Favicon
By Mike Gunderloy of A Fresh Cup 11 days ago.
Email

Ruby 2.1 Garbage Collection: ready for production - A look at the internals of ruby GC, some of the cases where it fails, and what you can do about it.

How to Build a Ruby Gem With Bundler, Test-Driven Development, Travis CI And Coveralls, Oh My! - A good walkthrough of the current state of gem building.

Heartbleed Test - Find out whether a server is vulnerable to the recent devastating OpenSSL bug.

afreshcup.com Read
  Source Favicon
By Taryn East of Ruby-coloured glasses 11 days ago.
Email

So, you may have read that there's a security vulnerability in OpenSSL called Heartbleed. It's pretty serious and potentially affects everyone. You should change all your passwords right now.

Read more about it here: Here's How To Protect Yourself From The Massive Security Flaw That's Taken Over The Internet

You can use this site to test any site you care to try: Heartbleed test

rubyglasses.blogspot.com Read
  Source Favicon
Email

…There's also a Python implementation. You can also check the version of OpenSSL that's installed on your servers. If you're running OpenSSL 1.0.1 through 1.0.1f or 1.0.2-beta, you're vulnerable. (Side note here: some distributions, such as RHEL/ CentOS, have patched the issue without actually updating the OpenSSL version number; on RPM-based systems you can view the changelog to see if it's been fixed, for example: rpm -q --changelog openssl | head -2 …

mysqlperformanceblog.com Read
  Source Favicon
By Patrick of Kalzumeus Software 12 days ago.
Email

Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

What leaks in practice?

We have tested some of our own services from attacker's perspective. …

kalzumeus.com Read