To all NoMachine users,
an information disclosure flaw was found in the way OpenSSL handled TLS and DTLS Heartbeat Extension packets. An attacker could use this flaw to obtain up to 64k of memory contents from the client or server, which could potentially lead to the disclosure of private keys and other sensitive information. (CVE-2014-0160)
OpenSSL is used in NoMachine 4 software to power TLS and encryption in a number of subsystems. NoMachine has already commenced building and testing its own software with the updated OpenSSL libraries. The new packages will be released as soon as possible with instructions on how to regenerate the possibly compromised keys. Until then, NoMachine advises its users to put all machines running version 4 and containing sensitive information offline.
The NoMachine Security Team
-
This topic was modified 10 years, 5 months ago by Britgirl.