[CentOS] [CentOS-announce] CVE-2014-0160 CentOS 6 openssl heartbleed workaround

Thu Apr 10 13:10:31 UTC 2014
David Hrbáč <david-lists at hrbac.cz>

Dne 10.4.2014 14:47, Johnny Hughes napsal(a):
> Those are the two possible things that could have happened. 

> ============================= 

> In the case of CentOS servers, the time period where that could have
> occurred is from December 1, 2013 (when openssl-1.0.1e-15.el6 was
> released in CentOS-6.5) until people using 6.5 upgrade to
> openssl-1.0.1e-16.el6_5.7 (available on April 8th, 2014). In the case
> of some other distributions, the possible time frame is from March
> 2012 until April 2014.

Yes, that's I wanted to point out. And that's why we are going to
replace all the SSL certificates. But this is not enough, we have to and
are going to regenerate the user passwords and ssh keys. What more we
are also going to regenerate server ssh keys, they could be compromised
because of GSISSHD.