<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Wed, Apr 9, 2014 at 3:16 PM, Gary Buhrmaster <span dir="ltr"><<a href="mailto:gary.buhrmaster@gmail.com" target="_blank">gary.buhrmaster@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">On Wed, Apr 9, 2014 at 6:52 PM, Ian Evans <<a href="mailto:dheianevans@gmail.com">dheianevans@gmail.com</a>> wrote:<br>
> Just a heads up that if you've made your mythbox accessible from the outside<br>
> via ssh or mythweb you may need to make sure your system isn't affected by<br>
> the recenlty discovered heartbleed security hole.<br>
<br>
</div>Ok, it is worth pointing out that OpenSSH is *NOT* vulnerable<br>
to this vulnerability. While OpenSSH does use OpenSSL for<br>
some key generation functions, OpenSSH does not use TLS.<br>
<br>
Do not get an a panic about your OpenSSH server regarding<br>
this vulnerability.<br>
<br>
Do get your OpenSSL updates. For server admins, do<br>
regenerate your keys and get a new certificate from your CA<br>
(and while you are at it, consider implementing PFS). As<br>
a client, after you have verified your favorite web sites have<br>
updated, do change your passwords at those sites. Any/all<br>
passwords that are shared among any sites should be<br>
considered compromised. And if you are especially lazy,<br>
at least change the passwords on the sites that can really<br>
matter in your life and PII (banking, health care, etc.).<br>
<div class="HOEnZb"><div class="h5">_______________________________________________<br></div></div></blockquote></div><br><br></div><div class="gmail_extra">If we do have an ssl-protected web-facing mythweb right now and don't have time in the next day or so to take additional steps, should we at least shutdown apache?<br>
</div></div>