Heart Bleeding

One of the Google Security Engineer ( Thanks for Neel Mehta of Google Security and team of security engineers (Riku, Antti and Matti) at Codenomicon for discovering the bug)  reported a serious bug with current openssl  on 3rd of April 2014 . ( TLS heartbeat read overrun (CVE-2014-0160) )

As per openssl , Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. And its advised to upgrade to OpenSSL 1.0.1g ( https://www.openssl.org/source/openssl-1.0.1g.tar.gz )  to fix this issue or recompile affected versions with the option -DOPENSSL_NO_HEARTBEATS.

You may need to recompile other services which are associated with openssl like Apache , nginx , php etc . Also its better to renew your ssl cert’s to make sure everything is safe/fine.

How to Check Whether your server/website is affected or not ?

http://possible.lv/tools/hb

This entry was posted in Linux. Bookmark the permalink.

Leave a Reply

Your email address will not be published.