sysCore ApS
Tel: +45 32 21 57 70
Fax: +45 69 66 33 66
Glostrup, Denmark

Quick Product & Service Guide
Competences | Services | AppHost | Clip-card support | B2B SHOP | Online Presence Pack | RFID | sysAlarms
Google Apps for Business | WADA-NET | CLUB-NET

HCORE Skræddersyet webløsninger
Vi er en del af H|CORE
Autoriseret UNI-TEL forhandler

Autoriseret forhandler
Autoriseret NAVICAT forhandler

Autoriseret forhandler
sysCore Aps supports Foundation INNOVARE
meetBSD logo
sysCore Aps supports meetBSD Conference

OpenSSL “Heartbleed” bug – who is affected and what to do?

The recent bug (dubbed “heartbleed”) discovered in OpenSSL is indeed extremely dangerous, as it enables remote attackers to silently scoop data from encrypted communication. System administrators are urged to update their systems as soon as possible and users of affected systems should change their passwords to avoid possible account/system compromise.

Who is in fact affected? First of all check your OpenSSL version:

~ # openssl version
OpenSSL 0.9.8k 25 Mar 2009

Only version 1.0.1 is affected by the error – which means, that if you run Ubuntu Server 10.04 LTS  you are most likely ok – but to be sure you must inspect every machine anyway. Ubuntu 12.04 LTS is shipped with 1.0.1 – and that has to be updated.

In case you do run OpenSSL 1.0.1 – please update as soon as possible to freshly released 1.0.1g version (or higher – but at the time of writing of this article only a beta version is released – namely 1.0.2). Below is an example from CentOS 6.4 and 6.5 (both have 1.0.1) – these systems should be also updated.

~ $ openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

Should you also update your certificate? If you do run a high-traffic service and your business depends (even indirectly) on the happiness of your users – please do so. Do not forget to change the certificate AFTER OpenSSL upgrade and ask your users to change passwords only AFTER you upgraded OpenSSL and installed new certificate (in that order).

Posted in howto, linux, security | Tagged , | Comments Off on OpenSSL “Heartbleed” bug – who is affected and what to do?