CentOSDebianFedoraLinuxNetworking & SecurityRedHatUbuntu

[How to ] Fix OpenSSL for Heartbleed Vulnerability

As you are all aware of the latest OpenSSL vulnerability termed as "Heartbleed", many blogs are providing information what it is and how does it affects. I am going to focus on fixing the OpenSSL Heartbleed vulnerability in this post.

Which OpenSSL versions are affected?

The OpenSSL version 1.0.1 is vulnerable except version 1.0.1g. Other versions like 1.0.0, 0.9.x are not vulnerable.

How can I upgrade the OpenSSL version?

Community has released updates. Following links contain latest OpenSSL versions.

Debian: http://www.debian.org/security/2014/dsa-2896
Ubuntu: http://www.ubuntu.com/usn/usn-2165-1/
Fedora: https://lists.fedoraproject.org/pipermail/announce/2014-April/003206.html
CentOS: http://lists.centos.org/pipermail/centos-announce/2014-April/020249.html

Download the latest package from the above links and update OpenSSL.

I am using OpenSSL version 1.0.1. How can I know if it is patched?

The vulnerable version was shipped in following OS:

Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
CentOS 6.5, OpenSSL 1.0.1e-15
Fedora 18, OpenSSL 1.0.1e-4
OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
NetBSD 5.0.2 (OpenSSL 1.0.1e)
OpenSUSE 12.2 (OpenSSL 1.0.1c)

Verify the OpenSSL information:

yum info openssl

If you receive following output, then the version is vulnerable

Installed Packages
Name : openssl
Arch : x86_64
Version : 1.0.1e
Release : 16.el6_5.4
Size : 4.0 M
Repo : installed

Another way to check is by executing following command which checks the OpenSSL log:

rpm -q --changelog openssl | grep CVE-2014-0160

If you get following output then the version of OpenSSL is patched

- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension

Important: It is mandatory to reboot the server once the OpenSSL is patched. This is important so that service using OpenSSL "libssl" will get resartedt.

Hope this help! 🙂

Abhijit Sandhan

Loves Open Source, Blogging, Traveling, Hiking and sharing Knowledge!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button