That doesn’t sound good. Especially since its from a credible source whose enterprise is entirely concerned with privacy and anonymity on the internet. From the Tor website:
OpenSSL bug CVE-2014-0160 Posted April 7th, 2014
A new OpenSSL vulnerability on 1.0.1 through 1.0.1f is out today, which can be used to reveal memory to a connected client or server.
If you’re using an older OpenSSL version, you’re safe.
The BBC put out the word:
A bug in software used by millions of web servers could have exposed anyone visiting sites they hosted to spying and eavesdropping, say researchers.
The bug is in a software library used in servers, operating systems and email and instant messaging systems.
Called OpenSSL the software is supposed to protect sensitive data as it travels back and forth.
It is not clear how widespread exploitation of the bug has been because attacks leave no trace.
Because we’ve an addict in the house (he keeps it under control), I happened to notice the report that Minecraft went offline while servers were patched.
Update; BBC: Heartbleed Bug: Tech firms urge password reset
BloombergBusinessWeek: Why Heartbleed, the Latest Cybersecurity Scare, Matters