File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Security and the fly likes New Article Regarding Heartbleed Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "New Article Regarding Heartbleed" Watch "New Article Regarding Heartbleed" New topic
Author

New Article Regarding Heartbleed

Michele Smith
Ranch Hand

Joined: Oct 27, 2010
Posts: 412
Hello I noticed a new article came out today: http://www.forbes.com/sites/jameslyne/2014/04/10/avoiding-heartbleed-hype-what-to-do-to-stay-safe/

I wondered if any of you super smart people out there have any strong ideas/notions about this and how one can protect their wee code.

Thanks,
Michele
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41511
    
  53
Lots of write-ups happened in the last couple of days. Forbes is obviously not the place to go to for technical insight. A discussion on this started at http://www.coderanch.com/t/631935/Security/Heartbleed-Bug-vulnerability-popular-OpenSSL


Ping & DNS - my free Android networking tools app
Michele Smith
Ranch Hand

Joined: Oct 27, 2010
Posts: 412
Thank you for the URL to the Heartbleed Bug. I clicked on one of the URLs and it said this:

OpenSSL Security Advisory [07 Apr 2014]
========================================

TLS heartbeat read overrun (CVE-2014-0160)
==========================================

A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.

-----
Maybe I am missing something, but where would we go to obtain:


Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.

Thanks,
Michele
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: New Article Regarding Heartbleed