Running OpenSSL on anything?
You need to upgrade to version 1.0.1g or patch your existing install right now!
I run a bunch of Debian based system so I upgraded them all to version 1.0.1g (1.0.1e is the default available from the Debian repos but I don’t know if it has been patched so I just opted to upgrade manually to 1.0.1g).
See the security advisory here – https://www.openssl.org/news/secadv_20140407.txt
Here is the quick and dirty guide (commands run as root):
First, check which version of OpenSSL you are running:
openssl versionMy Debian system returned:
OpenSSL 1.0.1e 11 Feb 2013So it needs upgrading. Use the commands below to go and grab version 1.0.1g from www.openssl.org and install it:
cd /usr/src/wget www.openssl.org/source/openssl-1.0.1g.tar.gtar xfz openssl-1.0.1g.tar.gzcd openssl-1.0.1g./config --prefix=/usr zlib-dynamic --openssldir=/etc/ssl sharedmakemake install
Once it’s done (if you don’t get any errors) you can check the version by running:
openssl versionIt should return something like:
OpenSSL 1.0.1g 7 Apr 2014This vulnerability has been around for a while so it’s probably best to re-key your SSL certificate just to make sure. Your own SSL certificate provider will be able to help you with this but you must make sure that the old certificate is also revoked at the same time as some providers don’t do that automatically when you re-key.
****EDIT****
You can test your server using this handy tool – http://filippo.io/Heartbleed/
