Over the last 12 hours there has been a report of a severe OpenSSL vulnerability.
There is detailed information over at www.heartbleed.com however we have summarised the information below and steps you need to take:
Version openSSL 1.0.1through to 1.0.1f (inclusive) are vulnerable
The bug allows malicious individuals to read 65kb chunks of decrypted system memory which done enough times can build a picture of your servers memory (RAM) which could be used to disclose information such as SSL private keys.
Most vendors have released updated OpenSSL patches that are ready to be installed which are patched versions of 1.0.1e without the part that makes OpenSSL vulnerable thus closing the vulnerability.
To patch the version of OpenSSL in use on your server please log into SSH and run the following command:
yum -y update openssl
*If that command fails then please use the following command instead
sudo apt-get update && sudo apt-get -y install openssl
If you get a message about "No packages marked for update" then you do not need to do anything further.
Once the command has ran you will need to reboot your server to ensure all services that use OpenSSL use the new version, to do this run the following command in SSH
Your server will then reboot and the patch is complete.
PAC Web Hosting
Tuesday, April 8, 2014