Heya there, Not sure how many of you are aware of it. Explanation of what it is You can see how the actual code works here The first time it hit Steam someone changed the name of Black Ops 2 to "Valve please reset all partner logins because heartbleed" Now they have done the same with South Park: The Stick of Truth Quite scary when you think about it...
1. I'm not aware that Valve even used OpenSSL (there are other encryption sources then OpenSSL, which do not have this problem). 2. When I checked the Valve site for the vulnerability they either had fixed it, or they didn't use it in the first place. So if you think valve was compromised, its now as safe as can be again to change your password on it. And your secret questions, and your steamguard activation, and your email, but not to click phishing links.
The Steam Store does not so it was not affected. But the Steam Community has OpenSSL and it was affected. Those people say "Valve seriously... reset partner logins". So i guess that the partner logins are affected and enterable trough the Steam Community site. This way they could change the information of the game itself on the page. But im sure that they can't change the download and make you download a virus or something like that.
Ah God dammit Panromir! I had just copied the image url of that picture and went here to post it and then you ninja'd me.
I've got from reliable source that only the dev-platform of Valve was affected, not the other parts for there it wasn't using OpenSSL.
Not sure what the hell this means, but this is supposedly how to fix it: Code: if (1 + 2 + 16 > s->s3->rrec.length) return 0; /* silently discard */ hbtype = *p++; n2s(p, payload); if (1 + 2 + payload + 16 > s->s3->rrec.length) return 0; /* silently discard per RFC 6520 sec. 4 */ pl = p; Can someone explain this to me?
Looks like the patch which makes OpenSSL check that the requested size is equal to the size of the payload. What *you* have to do is simply update your system(s), if they use OpenSSL.