How is Linux fixing issues of OpenSSL security?

Another vulnerability was published in OpenSSL 1.0.1 that permits an attacker to uncover up to 64kb of memory to a connected client or server (CVE-2014-0160). It may comprise of our X.509 authentications, usernames and passwords, texts, messages,business reports and correspondence. As per OpenSSL Security Advisory report, Neel Mehta from Google Security has discovered this bug.

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. The bug breaches the secret keys to recognize the service providers and steal names and passwords of the users. This permits the bug to take information straightforwardly from administration and users. Here is the list of operating systems that have transported with conceivably vulnerable OpenSSL version.

  • Fedora 18, OpenSSL 1.0.1e-4
  • CentOS 6.5, OpenSSL 1.0.1e-15
  • Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
  • Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
  • FreeBSD 8.4 (OpenSSL 1.0.1e) and 9.1 (OpenSSL 1.0.1c)
  • OpenSUSE 12.2 (OpenSSL 1.0.1c)
  • OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
  • NetBSD 5.0.2 (OpenSSL 1.0.1e)

“The Core Infrastructure Initiative (CII)  is a multi-million dollar venture sorted out by The Linux Foundation to fund open source ventures that are in the basic way for core processing and Internet capacities. Stirred by the Heartbleed OpenSSL emergency, the Initiative’s funds will be managed by The Linux Foundation and a controlling group comprised of benefactors of the projects and additionally key open source developers and other industry stakeholders,” the Foundation awhile ago expressed. The principal tasks the CII will fund are Network Time Protocol, OpenSSH, OpenSSL, and the Open Crypto Audit Project (OCAP). OpenSSL will get enough supports to get two full-time core developers.

The foundation likewise announced that CII founding patrons Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, Netapp, Rackspace, and Vmware, will be joined by new parts Adobe, Bloomberg, HP, Huawei and Salesforce, who will work with The Linux Foundation to recognize and store basic open source ventures that need monetary and technical assistance.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s