- yes we're affected;
- we're currently working on it;
- we didn't have an early warning so we're doing as fast as we can.
DSA should be in your INBOX in a few moments, and the updates on the mirror a moment later.
[UPDATE Tue, 08 Apr 2014 01:06:42 +0200]
- DSA 2896-1 released;
- Wheezy packages are already on the security mirrors;
- Sid packages are waiting in incoming and should be accepted soon (and migrate right away to Jessie).
After the upgrade, you really need to restart all TLS application using libssl1.0.0 to get the fix. Usual suspects are webservers, mailservers etc. Don't forget to restart clients too. Easiest way is to completely reboot the sever, but in case that's not a solution, you can check the process still using the old library with the following snippet:
grep -l 'libssl.*deleted' /proc/*/maps | tr -cd 0-9\\n | xargs -r ps u
Some people seem to indicate that the 64kB leak can enable an attacker to get pretty much anything from the process memory space, including the certificate private key. While we weren't able to confirm that yet, that's not really impossible, so you might also want to regenerate those private keys, although that's not something you should do in a rush either.