As you are all aware of the latest OpenSSL vulnerability termed as "Heartbleed", many blogs are providing information what it is and how does it affects. I am going to focus on fixing the OpenSSL Heartbleed vulnerability in this post.
Which OpenSSL versions are affected?
The OpenSSL version 1.0.1 is vulnerable except version 1.0.1g. Other versions like 1.0.0, 0.9.x are not vulnerable.
How can I upgrade the OpenSSL version?
Community has released updates. Following links contain latest OpenSSL versions.
Debian: http://www.debian.org/security/2014/dsa-2896 Ubuntu: http://www.ubuntu.com/usn/usn-2165-1/ Fedora: https://lists.fedoraproject.org/pipermail/announce/2014-April/003206.html CentOS: http://lists.centos.org/pipermail/centos-announce/2014-April/020249.html
Download the latest package from the above links and update OpenSSL.
I am using OpenSSL version 1.0.1. How can I know if it is patched?
The vulnerable version was shipped in following OS:
Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4 Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11 CentOS 6.5, OpenSSL 1.0.1e-15 Fedora 18, OpenSSL 1.0.1e-4 OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012) FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013 NetBSD 5.0.2 (OpenSSL 1.0.1e) OpenSUSE 12.2 (OpenSSL 1.0.1c)
Verify the OpenSSL information:
yum info openssl
If you receive following output, then the version is vulnerable
Installed Packages Name : openssl Arch : x86_64 Version : 1.0.1e Release : 16.el6_5.4 Size : 4.0 M Repo : installed
Another way to check is by executing following command which checks the OpenSSL log:
rpm -q --changelog openssl | grep CVE-2014-0160
If you get following output then the version of OpenSSL is patched
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
Important: It is mandatory to reboot the server once the OpenSSL is patched. This is important so that service using OpenSSL "libssl" will get resartedt.
Hope this help! 🙂