Running OpenSSL on anything?
You need to upgrade to version 1.0.1g or patch your existing install right now!
I run a bunch of Debian based system so I upgraded them all to version 1.0.1g (1.0.1e is the default available from the Debian repos but I don’t know if it has been patched so I just opted to upgrade manually to 1.0.1g).
See the security advisory here – https://www.openssl.org/news/secadv_20140407.txt
Here is the quick and dirty guide (commands run as root):
First, check which version of OpenSSL you are running:
My Debian system returned:
OpenSSL 1.0.1e 11 Feb 2013
So it needs upgrading. Use the commands below to go and grab version 1.0.1g from www.openssl.org and install it:
tar xfz openssl-1.0.1g.tar.gz
./config --prefix=/usr zlib-dynamic --openssldir=/etc/ssl shared
Once it’s done (if you don’t get any errors) you can check the version by running:
It should return something like:
OpenSSL 1.0.1g 7 Apr 2014
This vulnerability has been around for a while so it’s probably best to re-key your SSL certificate just to make sure. Your own SSL certificate provider will be able to help you with this but you must make sure that the old certificate is also revoked at the same time as some providers don’t do that automatically when you re-key.
You can test your server using this handy tool – http://filippo.io/Heartbleed/