[colug-432] Heartbleed Heartburn
Rob Stampfli
rob944 at cboh.org
Thu Apr 10 14:55:51 EDT 2014
I have several virtual servers. They are currently all running CentOS 6.
When news of the Heartbleed bug broke, I did a "yum update" and saw CentOS
has pushed down some updates to the openssl package. However, its version
number indicates "OpenSSL 1.0.1e-fips 11 Feb 2013", so I suspect it is not
patched for Heartbleed.
A couple questions:
1. Anyone know when the major Linux releases will come out with a patch
for Heartbleed? Will openssl be pulled up to version 1.0.8 or will
they port the patch back to their current version of openssl?
2. What services are affected? I presume https (but I really dont use
it on my servers). But, ssh? smtp (TSLv2/SSLv3)? What needs to
be addressed?
3. Can we presume that the major players who are affected (Yahoo, Gmail,
Facebook, Amazon...) have patched their servers already? It seems
to me that changing one's password on a service which is still
vulnerable is worse than doing nothing at all.
Any ideas?
Rob
More information about the colug-432
mailing list