Heartbleed vulnerability [UPDATED]

Detailed information about the Heartbleed bug can be found on the www.heartbleed.com web site, including a list of the major distributions of Linux that have shipped buggy OpenSSL packages. A list of the vulnerable OpenSSL packages is available from the OpenSSL group, here: https://www.openssl.org/news/secadv_20140407.txt

April 11th, 2014:

Seemed like it was taking too long for OpenSSL 1.01g to appear so I started poking around and found this:

http://www.ubuntu.com/usn/usn-2165-1/

Note that installing only the OpenSSL package and restarting Apache will not solve the problem. The buggy library is being used by more than one daemon within the system. Each one that is using the library must be restarted - including mail daemons, SSH and possibly others depending on the setup of your server. Ubuntu recommends, in the note referenced above, that the servers should simply be rebooted.

Mr. Filippo Valsorda has very kindly provided a tool that we can use to test our servers:

http://filippo.io/Heartbleed/

Thank you Mr. Valsorda!


April 9th, 2014:

This evening I decided to check a number of servers that I have installed over the past several years, including Fedora Core, CentOS and Ubuntu servers. I found that they are mostly running OpenSSL v0.98. This version suffers from no known or reported vulnerabilities.

It seems, though, that currently supported releases of major Linux distributions are sometimes running one of the vulnerable versions of OpenSSL prior to the patched 1.01g. For example one of my gateways is running Ubuntu 10.04 LTS with a buggy OpenSSL v1.01e. Although this is not a desirable situation for us I do think we will succeed in managing it. The nice thing about currently supported releases is that security patches will be issued and we will be able to install them easily - and hopefully soon.

All in all I would say that this situation is somewhat under control and there is no need to worry as long as the updates are installed reasonably quickly.

Tags: