updated 02:41 pm EDT, Tue April 8, 2014
Security flaw in OpenSSL encryption library dates back to early 2012
A major security flaw has been discovered in the OpenSSL cryptographic software library, jeopardizing security for a large number of SSL/TLS-based transmissions. The fault, named the "Heartbleed Bug," has apparently existed since March last year but only recently uncovered, and puts at risk not only the contents of encrypted online communications, but also the SSL keys used in the transmission.
Heartbleed appears in the widely-available OpenSSL version 1.0.1, as well as the beta of 1.0.2, with the former version being used in a large proportion of servers. The affects of the bug are varied and wide-ranging, with ZDNet reporting it as allowing attackers to reveal credit card details in a transaction over HTTPS. The severity of the issue potentially allows for the SSL keys to be used to enter a server without leaving any sign of an intrusion. The Heartbleed site dedicated to the bug, created by Codenomicon Defensics, describes Heartbleed as allowing attackers to "eavesdrop on communications, steal data directly from the services and users, and to impersonate services and users."
Version 1.0.1 has a fix available, bringing it to 1.0.1g, with a similar patch for the 1.0.2 beta also being worked on. Service providers have been asked to install the bug fixes as quickly as possible.
OpenSSL versions 1.0.0 and 0.9.8 are reportedly not affected by the flaw.