[colug-432] Heartbleed Heartburn

Rob Stampfli rob944 at cboh.org
Thu Apr 10 14:55:51 EDT 2014


I have several virtual servers.  They are currently all running CentOS 6.
When news of the Heartbleed bug broke, I did a "yum update" and saw CentOS
has pushed down some updates to the openssl package.  However, its version
number indicates "OpenSSL 1.0.1e-fips 11 Feb 2013", so I suspect it is not
patched for Heartbleed.

A couple questions:

1.  Anyone know when the major Linux releases will come out with a patch
    for Heartbleed?  Will openssl be pulled up to version 1.0.8 or will
    they port the patch back to their current version of openssl?

2.  What services are affected?  I presume https (but I really dont use
    it on my servers).  But, ssh?  smtp (TSLv2/SSLv3)?  What needs to
    be addressed?

3.  Can we presume that the major players who are affected (Yahoo, Gmail,
    Facebook, Amazon...) have patched their servers already?  It seems
    to me that changing one's password on a service which is still
    vulnerable is worse than doing nothing at all.

Any ideas?

Rob


More information about the colug-432 mailing list