1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Updating openssl to patch heartbleed vulnerability

Discussion in 'Server Configuration and Hosting' started by vijaichander, Apr 16, 2014.

  1. vijaichander

    vijaichander Active Member

    Hello all,
    A patch has been pushed to fix heart bleed vulnerability in openssl which causes the attacker to sniff the sensitive information by memory leak. More about this can be read at heartbleed info.

    To find if your host uses a vulnerable openssl, go to filippo and check your site.

    So who are all affected? People having ssl on there host and running openssl older than 1.0.1g are affected by this vulnerability.

    How do you fix this?
    1. If you are on a unmanaged vps:

    cd /usr/src
    wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
    tar -xvzf openssl-1.0.1g.tar.gz
    cd openssl-1.0.1g
    ./config --prefix=/usr no-threads shared
    make test
    make install
    2. If you are on shared/managed hosting or on host with no root access:
    Ask you host to update openssl to version 1.0.1g

    After installing, restart the services using ssl like control panel, httpd etc. Or do a server reboot to simply restart all services.

    I also recommend getting your ssl certificate re-keyed as older openssl also revealed a part of private key to the attacker.
    Last edited: Apr 16, 2014
  2. WSWD

    WSWD Well-Known Member

    Hopefully everyone has fixed this by now. Was released over a week ago.
  3. RoldanLT

    RoldanLT Well-Known Member

    The day openssl dev released 1.0.1g I already updated mine :)
    vijaichander likes this.
  4. vijaichander

    vijaichander Active Member

    It's good that already many have updated. But there are still few out there who doesn't know about this vulnerability and this thread is created for them :)
  5. Slavik

    Slavik XenForo Moderator Staff Member

    You can also run yum update or apt update as the repos were all patched.

    If you use Litespeed web server, update to the latest version.
    Floren likes this.
  6. Tracy Perry

    Tracy Perry Well-Known Member

    Uhhh.. you mean the latest version of OLS? If so, no thank you, 1.3 has some serious problems on all the VPS's I compiled/installed it on using the same config settings as 1.2.9. I think @lsmichael commented that there was a problem and the developers were looking at it.
  7. Slavik

    Slavik XenForo Moderator Staff Member

    I meant LiteSpeed Enterprise :)
    Tracy Perry likes this.
  8. vijaichander

    vijaichander Active Member

    I tried Apt 10 April and it wasn't updated at that time. So I had to pull the source and build on my own. If it's pushed now on apt, it's good then :)
    Btw, I'm running debian 7.4
  9. Slavik

    Slavik XenForo Moderator Staff Member

    well, nobodies perfect :)
    vijaichander likes this.
  10. Jeremy P

    Jeremy P Well-Known Member

    It was patched in Debian on the 7th in 1.0.1e-2+deb7u5.
  11. vijaichander

    vijaichander Active Member

    Didn't work in my case. I already had that version and still this website showed that my site was still vulnerable. After updating to 1.0.1g, it was fixed.

Share This Page