The recent bug (dubbed “heartbleed”) discovered in OpenSSL is indeed extremely dangerous, as it enables remote attackers to silently scoop data from encrypted communication. System administrators are urged to update their systems as soon as possible and users of affected systems should change their passwords to avoid possible account/system compromise.
Who is in fact affected? First of all check your OpenSSL version:
~ # openssl version OpenSSL 0.9.8k 25 Mar 2009
Only version 1.0.1 is affected by the error – which means, that if you run Ubuntu Server 10.04 LTS you are most likely ok – but to be sure you must inspect every machine anyway. Ubuntu 12.04 LTS is shipped with 1.0.1 – and that has to be updated.
In case you do run OpenSSL 1.0.1 – please update as soon as possible to freshly released 1.0.1g version (or higher – but at the time of writing of this article only a beta version is released – namely 1.0.2). Below is an example from CentOS 6.4 and 6.5 (both have 1.0.1) – these systems should be also updated.
~ $ openssl version OpenSSL 1.0.1e-fips 11 Feb 2013
Should you also update your certificate? If you do run a high-traffic service and your business depends (even indirectly) on the happiness of your users – please do so. Do not forget to change the certificate AFTER OpenSSL upgrade and ask your users to change passwords only AFTER you upgraded OpenSSL and installed new certificate (in that order).