• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Updating openssl to patch heartbleed vulnerability

#1
Hello all,
A patch has been pushed to fix heart bleed vulnerability in openssl which causes the attacker to sniff the sensitive information by memory leak. More about this can be read at heartbleed info.

To find if your host uses a vulnerable openssl, go to filippo and check your site.

So who are all affected? People having ssl on there host and running openssl older than 1.0.1g are affected by this vulnerability.

How do you fix this?
1. If you are on a unmanaged vps:

Code:
cd /usr/src
wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
tar -xvzf openssl-1.0.1g.tar.gz
cd openssl-1.0.1g

./config --prefix=/usr no-threads shared
make
make test
make install
2. If you are on shared/managed hosting or on host with no root access:
Ask you host to update openssl to version 1.0.1g

After installing, restart the services using ssl like control panel, httpd etc. Or do a server reboot to simply restart all services.

I also recommend getting your ssl certificate re-keyed as older openssl also revealed a part of private key to the attacker.
 
Last edited:
#4
It's good that already many have updated. But there are still few out there who doesn't know about this vulnerability and this thread is created for them :)
 

Slavik

XenForo moderator
Staff member
#5
You can also run yum update or apt update as the repos were all patched.

If you use Litespeed web server, update to the latest version.
 

Tracy Perry

Well-known member
#6
You can also run yum update or apt update as the repos were all patched.

If you use Litespeed web server, update to the latest version.
Uhhh.. you mean the latest version of OLS? If so, no thank you, 1.3 has some serious problems on all the VPS's I compiled/installed it on using the same config settings as 1.2.9. I think @lsmichael commented that there was a problem and the developers were looking at it.
 
#8
You can also run yum update or apt update as the repos were all patched.

If you use Litespeed web server, update to the latest version.
I tried Apt 10 April and it wasn't updated at that time. So I had to pull the source and build on my own. If it's pushed now on apt, it's good then :)
Btw, I'm running debian 7.4