Date: Tue, 08 Apr 2014 16:05:02 +0200 From: Dirk Engling <erdgeist@erdgeist.org> To: freebsd-security@freebsd.org Subject: Re: http://heartbleed.com/ Message-ID: <5344020E.9080001@erdgeist.org> In-Reply-To: <5343FD71.6030404@sentex.net> References: <53430F72.1040307@gibfest.dk> <53431275.4080906@delphij.net> <5343FD71.6030404@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 08.04.14 15:45, Mike Tancsa wrote: > I am trying to understand the implications of this bug in the > context of a vulnerable client, connecting to a server that does not > have this extension. e.g. a client app linked against 1.xx thats > vulnerable talking to a server that is running something from RELENG_8 > in the base (0.9.8.x). Is the server still at risk ? Will the client > still bleed information ? If the adversary is in control of the network and can MITM the connection, then yes. The client leaks random chunks of up to 64k memory, and that is for each heartbeat request the server sends. erdgeist
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5344020E.9080001>