[mythtv-users] the heartbleed openssl bug and mythtv

Gary Buhrmaster gary.buhrmaster at gmail.com
Wed Apr 9 19:16:06 UTC 2014


On Wed, Apr 9, 2014 at 6:52 PM, Ian Evans <dheianevans at gmail.com> wrote:
> Just a heads up that if you've made your mythbox accessible from the outside
> via ssh or mythweb you may need to make sure your system isn't affected by
> the recenlty discovered heartbleed security hole.

Ok, it is worth pointing out that OpenSSH is *NOT* vulnerable
to this vulnerability.  While OpenSSH does use OpenSSL for
some key generation functions, OpenSSH does not use TLS.

Do not get an a panic about your OpenSSH server regarding
this vulnerability.

Do get your OpenSSL updates.  For server admins, do
regenerate your keys and get a new certificate from your CA
(and while you are at it, consider implementing PFS).  As
a client, after you have verified your favorite web sites have
updated, do change your passwords at those sites.  Any/all
passwords that are shared among any sites should be
considered compromised.  And if you are especially lazy,
at least change the passwords on the sites that can really
matter in your life and PII (banking, health care, etc.).


More information about the mythtv-users mailing list