I don't think there can be a challenge to what is said. In this case it is an issue with SSL and not the OS that utilizes it. That has been my take on it. So yes, it isn't I run Linux and therefore safe as it is on the server side where the PW use is. Again, that is how I've read things.


EDIT: Note: I'm not an expert so don't take my word for it!

The vulnerability is in the code that implements the TLS heartbeat extension in certain versions of the OpenSSL libraries. The version of OpenSSL used on the server hosting Kubuntu forums is not vulnerable. There is no need for our members to do anything.

---

Specifically, a specially-crafted message could force a vulnerable service (usually a web server) using the affected OpenSSL libraries to reveal 64 KB of information stored in the service process's memory heap. Multiple messages could force the return of muliple 64 KB chunks. Within this data, an attacker may be able to find clear-text passwords, challenge/response pairs, private keys associated with certificates, or anything else that the service process has stored on its heap. Changing passwords on sites running the vulnerable version of OpenSSL is probably unnecessary, but if you're paranoid, it's not a bad thing to consider.

Note that any operating system running the vulnerable versions of the OpenSSL libraries is affected. It has nothing to with being Linux or not Linux. Windows servers, for example, have a completely different SSL implementation called SChannel. SChannel is not affected by this vulnerability at all. However, if someone installed some other web server, like Apache Tomcat, on Windows, then the vulnerability may be present. Again, it depends on which version of the OpenSSL libraries are installed.

Thanks and that confirms it is on the server side and why it is up to those individuals that their software is up to date and then the process of SSL certificate reissues.