FollowYesterday One of the Google Security Engineer ( Thanks for Neel Mehta of Google Security for discovering the bug) reported a serious bug with current openssl . ( TLS heartbeat read overrun (CVE-2014-0160) )
As per openssl , Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. And its advised to upgrade to OpenSSL 1.0.1g ( https://www.openssl.org/source/openssl-1.0.1g.tar.gz ) to fix this issue or recompile affected versions with the option -DOPENSSL_NO_HEARTBEATS.
You may need to recompile other services which are associated with openssl like Apache , nginx , php etc . Also its better to renew your ssl cert’s to make sure everything is safe/fine.
How to Check Whether your server/website is affected or not ?
http://possible.lv/tools/hb
References :-
http://heartbleed.com/
https://rhn.redhat.com/errata/RHSA-2014-0376.html
http://www.spinics.net/lists/centos-announce/msg04911.html
http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/
Recent Comments