A security vulnerability in OpenSSL has been found known as Heartbleed. It's important to update your local version of OpenSSL to correct this issue. Below are the steps you can follow and make sure that the patch is installed on your system, Please have your system backup ready prior to making any changes.
Patched versions of OpenSSL on the most popular distros. If you've compiled from source, you'll need to compile and reinstall version 1.0.1g. Alternately you can recompile previous versions with the OPENSSL_NO_HEARTBEATS flag enabled to close the vulnerability.
Ubuntu and Debian
Please check the current version of your OpenSSL
$ openssl version -a
OpenSSL 1.0.1e 11 Feb 2013
built on: Sat Mar 1 21:16:43 UTC 2014
platform: debian-amd64
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"
Look at the version above. OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable.
Please run command to update and upgrade your systems
sudo apt-get update
sudo apt-get upgrade
During the systems upgrade, you may be given a window that warns you about the security issue, and lists services that utilize OpenSSL and need to be restarted to apply the patch. You can add any additional services, by matching the init.d script name in this field.
If you do not see the windows during upgrade, you have to manually restart any services that use OpenSSL.
After updating the system, run the following command again to confirm the newer build is in place.
openssl version -a
OpenSSL 1.0.1g 14 Mar 2012
built on: Mon Apr 7 20:33:29 UTC 2014
CentOS
Check to see what your current OpenSSL version is:
openssl version -acompiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Wed Jan 8 18:40:59 UTC 2014
platform: linux-x86_64
options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
OPENSSLDIR: "/etc/pki/tls"
engines: dynamic
Carefully check the version line. OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable.
- To update OpenSSL from the repositories, run:
yum -y install openssl
After updating the application, please run openssl version -a again to confirm the new build:
openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Tue Apr 8 02:39:29 UTC 2014
Please manually restart any services that use OpenSSL.
Reissue All Certificates
As Heartbleed security bug has described that it allows hackers to read a portion of the memory on a vulnerable system, including private keys used in SSL key pairs, it's recomended that you reissue all key pairs. This can include keys used to create SSL certificates for web and mail servers. You may need to generate new CSRs and to reissue your SSL certificates.
