[colug-432] Heartbleed Heartburn
Michael Siroskey
msiroskey at mbi.osu.edu
Thu Apr 10 16:03:20 EDT 2014
On 4/10/14 2:55 PM, Rob Stampfli wrote:
> I have several virtual servers. They are currently all running CentOS 6.
> When news of the Heartbleed bug broke, I did a "yum update" and saw CentOS
> has pushed down some updates to the openssl package. However, its version
> number indicates "OpenSSL 1.0.1e-fips 11 Feb 2013", so I suspect it is not
> patched for Heartbleed.
>
> A couple questions:
>
> 1. Anyone know when the major Linux releases will come out with a patch
> for Heartbleed? Will openssl be pulled up to version 1.0.8 or will
> they port the patch back to their current version of openssl?
For RHEL/CentOS 6, the Heartbeat patch was deployed in
openssl-1.0.1e-16.el6_5.7
(https://rhn.redhat.com/errata/RHSA-2014-0376.html).
> 2. What services are affected? I presume https (but I really dont use
> it on my servers). But, ssh? smtp (TSLv2/SSLv3)? What needs to
> be addressed?
It is hard to tell what programs are static or dynamic linked. To find
dynamic programs still using the old library you can use the following
command line. (Credit goes to the CentOS twitter feed)
lsof -n | grep ssl | grep DEL
Any listed service should be restarted.
> 3. Can we presume that the major players who are affected (Yahoo, Gmail,
> Facebook, Amazon...) have patched their servers already? It seems
> to me that changing one's password on a service which is still
> vulnerable is worse than doing nothing at all.
>
In addition to passwords, if your systems are using certificates you
should also replace the certificate as the private keys could have been
exposed.
> Any ideas?
>
> Rob
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432
>
More information about the colug-432
mailing list