“We have just found an vulnerability in the patched version OpenSSL. A missing bounds check in the handling of the variable DOPENSSL_NO_HEARTBEATS. We could successfully Overflow the DOPENSSL_NO_HEARTBEATS and retrieve 64kb chunks of data again on the updated version,” the hackers wrote on Pastebin.
Full Article
However, I think we will have to wait for the final verdict on this one:
Hacker claims about bug in fixed OpenSSL likely a scam
Security experts have expressed doubts about a hacker claim that there is a new vulnerability in the patched version of OpenSSL, the widely used cryptographic library repaired in early April.
A group of five hackers writes in a posting on Pastebin that they worked for two weeks to find the bug and developed code to exploit it. They have offered the code for the price of 2.5 bitcoins, around $870 (€627).
A new flaw in OpenSSL could pose just as much of a threat as Heartbleed did. But the hackers’ claim was met with immediate suspicion on Full Disclosure, a forum for discussing vulnerability reports.
One commentator, Todd Bennett, wrote the technical description of their claim is “rather extraordinary.”
Full Article