Maintained by: NLnet Labs

[Unbound-users] OpenSSL heartbleed bug

Phil Pennock
Fri Apr 11 18:10:08 CEST 2014


On 2014-04-11 at 16:30 +0200, W.C.A. Wijngaards wrote:
> Unbound's ssl-upstream, ssl-service and unbound-anchor are options and
> tools that create TLS connections.  This is vulnerable to heartbleed.

For clarity to those asking (since Wouter knows this but it wasn't
clear): if you're changing keys/certs in response to Heartbleed (as I
am) then it's because arbitrary server memory can be read.

So if you have ssl-service-key set then you're vulnerable, but you need
to then change _all_ keys and certs used by Unbound, including for those
services which are not part of the attack vector, not _just_
ssl-service-key.

-Phil