Version 1.0.1g of Open SSL adds some bounds checks to prevent the buffer over-read.
The affected versions of Open SSL are Open SSL 1.0.1 through 1.0.1f (inclusive).
Subsequent versions (1.0.1g The problem can be fixed by ignoring Heartbeat Request messages that ask for more data than their payload needs.
Errata Security pointed out that a widely used non-malicious program called Masscan, introduced six months before Heartbleed's disclosure, abruptly terminates the connection in the middle of handshaking in the same way as Heartbleed, generating the same server log messages, adding "Two new things producing the same error messages might seem like the two are correlated, but of course, they aren't." According to Bloomberg News, two unnamed insider sources informed it that the United States' National Security Agency had been aware of the flaw since shortly after its appearance but—instead of reporting it—kept it secret among other unreported zero-day vulnerabilities in order to exploit it for the NSA's own purposes. Clarke, a member of the National Intelligence Review Group on Intelligence and Communications Technologies that reviewed the United States' electronic surveillance policy; he told Reuters on April 11, 2014 that the NSA had not known of Heartbleed.
The allegation prompted the American government to make, for the first time, a public statement on its zero-day vulnerabilities policy, accepting the recommendation of the review group's 2013 report that had asserted "in almost all instances, for widely used code, it is in the national interest to eliminate software vulnerabilities rather than to use them for US intelligence collection", and saying that the decision to withhold should move from the NSA to the White House.
Heartbleed is a security bug in the Open SSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol.
It was introduced into the software in 2012 and publicly disclosed in April 2014.
Following Seggelmann's request to put the result of his work into Open SSL, his change was reviewed by Stephen N. Henson failed to notice a bug in Seggelmann's implementation, and introduced the flawed code into Open SSL's source code repository on December 31, 2011.
The defect spread with the release of Open SSL version 1.0.1 on March 14, 2012.
which would enable attackers to decrypt communications (future or past stored traffic captured via passive eavesdropping, unless perfect forward secrecy is used, in which case only future traffic can be decrypted if intercepted via man-in-the-middle attacks).