[OWASP-Malaysia] Amaran Untuk Pentadbir Sistem Laman Web : OpenSSL Heartbleed Information Disclosure Vulnerability

Harisfazillah Jamel linuxmalaysia at gmail.com
Tue Apr 8 17:58:38 UTC 2014


Amaran Untuk Pentadbir Sistem Laman Web : OpenSSL Heartbleed Information
Disclosure Vulnerability

[HIGH ALERT] Status SEGERA dan KRITIKAL.

Semua laman web HTTPS, yang menggunakan OpenSSL sama ada Apache, Nginx dan
lain-lain, dalam Linux atau Windows, XAMPP. Sila segerakan kemasan
(upgrade).


Rujukan

https://www.openssl.org/news/secadv_20140407.txt

Amaran dari MyCERT
http://www.mycert.org.my/en/services/advisories/mycert/2014/main/detail/963/index.html


Pengesanan

Saya gunakan https://www.ssllabs.com/ssltest/ untuk periksa OpenSSL apa
yang digunakan.

Selepas keputusan keluar gunakan fungsi find (CTRL dan F) dalam page
result, cari OpenSSL. Apa jua versi 1.0.1 perlu kemasan ke 1.0.1g

Bacaan lanjut

http://heartbleed.com/


Bantuan

Sila gunakan ruang komen blog ini pertanyaan lanjut.

http://cikgucyber.blogspot.com/2014/04/amaran-untuk-pentadbir-sistem-laman-web.html

Pertanyaan dan panduan boleh juga dibincang di Perbincangan OWASP.my di
Facebook

https://www.facebook.com/groups/owaspmy/

Sebaran oleh Harisfazillah Jamel (LinuxMalaysia)

8 Apr 2014

OpenSSL Security Advisory [07 Apr 2014]

TLS heartbeat read overrun (CVE-2014-0160)


A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl at chromium.org> and Bodo Moeller <bmoeller at acm.org> for
preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.




-- 

---

MOSC2014 Update With Email @ MailChimp
http://eepurl.com/lBBbj

Malaysia Open Source Conference 2013 (MOSC2013)
http://portal.mosc.my/

LinuxMalaysia Network
http://www.facebook.com/Bukan.Sekadar.Internet.Sahaja
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-malaysia/attachments/20140409/e97190df/attachment.html>


More information about the OWASP-Malaysia mailing list