Updating openssl to patch heartbleed vulnerability

[vijaichander]

Hello all,
A patch has been pushed to fix heart bleed vulnerability in openssl which causes the attacker to sniff the sensitive information by memory leak. More about this can be read at heartbleed info.

To find if your host uses a vulnerable openssl, go to filippo and check your site.

So who are all affected? People having ssl on there host and running openssl older than 1.0.1g are affected by this vulnerability.

How do you fix this?
1. If you are on a unmanaged vps:

cd /usr/src
wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
tar -xvzf openssl-1.0.1g.tar.gz
cd openssl-1.0.1g

./config --prefix=/usr no-threads shared
make
make test
make install

2. If you are on shared/managed hosting or on host with no root access:
Ask you host to update openssl to version 1.0.1g

After installing, restart the services using ssl like control panel, httpd etc. Or do a server reboot to simply restart all services.

I also recommend getting your ssl certificate re-keyed as older openssl also revealed a part of private key to the attacker.

 

[WSWD]

Hopefully everyone has fixed this by now. Was released over a week ago.

 

[rdn]

The day openssl dev released 1.0.1g I already updated mine

 

[vijaichander]

It's good that already many have updated. But there are still few out there who doesn't know about this vulnerability and this thread is created for them

 

[Slavik]

You can also run yum update or apt update as the repos were all patched.

If you use Litespeed web server, update to the latest version.

 

[TPerry]

You can also run yum update or apt update as the repos were all patched.

If you use Litespeed web server, update to the latest version.

Uhhh.. you mean the latest version of OLS? If so, no thank you, 1.3 has some serious problems on all the VPS's I compiled/installed it on using the same config settings as 1.2.9. I think @lsmichael commented that there was a problem and the developers were looking at it.

 

[Slavik]

Uhhh.. you mean the latest version of OLS? If so, no thank you, 1.3 has some serious problems on all the VPS's I compiled/installed it on using the same config settings as 1.2.9. I think @lsmichael commented that there was a problem and the developers were looking at it.

I meant LiteSpeed Enterprise

 

[vijaichander]

You can also run yum update or apt update as the repos were all patched.

If you use Litespeed web server, update to the latest version.

I tried Apt 10 April and it wasn't updated at that time. So I had to pull the source and build on my own. If it's pushed now on apt, it's good then
Btw, I'm running debian 7.4

 

[Slavik]

debian

well, nobodies perfect

 

[Jeremy P]

I tried Apt 10 April and it wasn't updated at that time. So I had to pull the source and build on my own. If it's pushed now on apt, it's good then
Btw, I'm running debian 7.4

It was patched in Debian on the 7th in 1.0.1e-2+deb7u5.

 

[vijaichander]

It was patched in Debian on the 7th in 1.0.1e-2+deb7u5.

Didn't work in my case. I already had that version and still this website showed that my site was still vulnerable. After updating to 1.0.1g, it was fixed.