Possible one of the most significant security bugs in recent times. Any server running OpenSSL 1.0.1 through 1.0.1f (inclusive) is vulnerable to this security threat. As this is a common package on many Linux distros, a very large number of Internet servers, hosting everything from websites, ecommerce sites, email system, instant message, etc. are likely affected by this bug.
By exploing this memory leak the server's private key can be compromised. The attack leave no trace. With the private key in hand, attackers could decrypt any past and future secure traffic that used/uses this key.
For the average Internet user, this potentially means that your
password used to access a given secure website, (on a server affected by this bug), could be determined by anyone who has access to a copy data packets exchange between you and the "secure" server. This could be anyone who has access to the path on which your data flows between client and web server, local network administrator, ISP, (NSA it goes without saying).
What Happens Now:
Sys Admin will need to patch their system and get new private keys re-issued.
User should change their password on their system is fully patched and operating with new keys.
The affected version of OpenSSL are included by default in the following Linux operating system.
- Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
- Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
- CentOS 6.5, OpenSSL 1.0.1e-15
- Fedora 18, OpenSSL 1.0.1e-4
- OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
- FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
- NetBSD 5.0.2 (OpenSSL 1.0.1e)
- OpenSUSE 12.2 (OpenSSL 1.0.1c)