[CentOS] [CentOS-announce] CVE-2014-0160 CentOS 6 openssl heartbleed workaround

Fri Apr 11 09:09:34 UTC 2014
Tony Mountifield <tony at softins.co.uk>

In article <1483A20E-66B7-4ECC-8C14-34DE4B24BA33 at gmail.com>,
Markus Falb <wnefal at gmail.com> wrote:
> 
> > No vulnerability on the
> > server can expose a private client certificate, only a vulnerability on
> > the client can.
> 
> With malicious server I did not meant one that was affected
> by heartbleed but a server which is run by bad people that want to exploit
> vulnerable clients.
> 
> If it's easy to write a malicious client to read the server's ram, it's maybe easy to
> write a malicious server that can read the client's ram? Does heartbleed work
> in both directions?
> 
> Assume that the client uses a vulnerable openssl, and it connects to a malicious 
> server, can the server read the ram of the client?

https://reverseheartbleed.com/

Cheers
Tony
-- 
Tony Mountifield
Work: tony at softins.co.uk - http://www.softins.co.uk
Play: tony at mountifield.org - http://tony.mountifield.org