Greg Freemyer wrote:
Assuming you are running a server serving encrypted data via openSSL:
meaning e.g. apache, openvpn, sshd, postfix (and exim et al), dovecot etc.
Not sshd from what I understand.
Yes, I saw you mentioned that earlier. If sshd is not affected, that's a big load off my shoulders.
And apache, only if you have https setup, right?
Right.
I've forgotten where security certificates live with ssh. Public key on the server and private on my personal workstation, right?
Yup.
I have a email server running on one box. Can the vulnerability have been used to get the sshd private keys? I'm thinking the private ssh keys would have never been in the memory space of the email server, so they are safe?
Wild guessing - if you have TSL enabled in your mail-server, I guess the vulnerability could have been used to extract data from it, but if your private key was never on that system ...
On the other hand, the pop/imap passwords could have been gotten and for users that have a re-used password they could have been used it to ssh straight into the box for any users not using a security certificate to authenticate. In that case all docs/data available to the user was potentially breached.
Yup. -- Per Jessen, Zürich (19.6°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org