On Fri, Apr 11, 2014 at 09:52:57AM -0400, Greg Freemyer wrote:
On Fri, Apr 11, 2014 at 9:38 AM, Vojtěch Zeisek <vojtech.zeisek@opensuse.org> wrote:
Still I haven't heard about any real misuse of this bug. Are there any examples of compromised servers etc.?
Between the announcement of the vulnerability and the roll-out of the patches, absolutely.
Security teams immediately put up traffic sniffers and watched their clients passwords, credit card numbers etc. flying out the door. They also saw the SSL private security keys flying out.
To assume you weren't hit in the 2 or 3 days between the announcement of the problem and the roll-out of the patch is a leap of faith for sure.
There is also the problem that the issue was present in the codebase for 2 years and there are people with network capture dumps that saw exploitation or probing in November 2013. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org