As reported by The OpenSSL team on April 7, 2014, a significant encryption flaw named the “Heartbleed bug” has been discovered and poses a very large security threat to servers which are vulnerable.
If you have a VPS/Cloud/Dedicated server with Signetique installed with software versions that may be vulnerable, please note the following information. If you have Managed System Administration services with us, we have already scheduled an upgrade for you and you do not have to do anything.
This affects almost all services (especially Apache-based) in a system which depends on OpenSSL and was created using one of the following distributions:
- Debian Wheezy (stable) (vulnerable OpenSSL 1.0.1e-2+deb7u4, fixed in OpenSSL 1.0.1e-2+deb7u5)
- Ubuntu 13.10 (vulnerable OpenSSL 1.0.1e-3ubuntu1.1, fixed in OpenSSL 1.0.1e-3ubuntu1.2)
- Ubuntu 12.10 (vulnerable OpenSSL 1.0.1c-3ubuntu2.6, fixed in OpenSSL 1.0.1c-3ubuntu2.7)
- Ubuntu 12.04.4 LTS (vulnerable OpenSSL 1.0.1-4ubuntu5.11, fixed in OpenSSL 1.0.1-4ubuntu5.12)
- RedHat, CentOS, CloudLinux 6.5 (vulnerable OpenSSL 1.0.1e-15, fixed in OpenSSL 1.0.1e-16)
- Fedora 18 (OpenSSL 1.0.1e-4 without update: Fedora 18 is no longer supported)
- Fedora 19 (fixed in OpenSSL 1.0.1e-37.fc19.1)
- Fedora 20 (fixed in OpenSSL 1.0.1e-37.fc20.1)
- OpenSUSE 12.2 (vulnerable OpenSSL 1.0.1c, fixed in OpenSSL 1.0.1e-1.44.1)
- OpenSUSE 13.1 (fixed in OpenSSL 1.0.1e-11.32.1)
Please refer to this URL for OpenSUSE patches (http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00004.html)
The OpenSSL version for Debian/Ubuntu can be checked using below command :
# dpkg -l openssl
The OpenSSL version for Redhat/CentOS and OpenSUSE can be checked using below command :
# rpm -q openssl
The following distributions are NOT affected :
- Debian Squeeze (https://www.debian.org/security/2014/dsa-2896)
- RedHat/CentOS 5 which shipped with OpenSSL 0.97a and 0.98e (https://rhn.redhat.com/errata/RHSA-2014-0376.html)
- Other than the above mentioned Ubuntu releases (http://www.ubuntu.com/usn/usn-2165-1/)
What should I do if my server is vulnerable?
Upgrade your OpenSSL package
On CentOS, RHEL and CloudLinux system. This can be done using below command :
# yum clean all
# yum update openssl
On Debian/Ubuntu system. This can be done using below command :
# apt-get update
# apt-get install openssl
Reset all your passwords
It is highly recommended to change all passwords after the OpenSSL package updated. Especially those web applications which accessible via your https URL.
SSL Certificate Revocations
According to the currently available information, private keys should be considered as compromised. We advice you to contact your SSL provider for revocation and reissuing of certificates.
Check if your system is still vulnerable after OpenSSL has been upgraded
Please go to https://www.ssllabs.com/ssltest/ and test your domain that assigned with SSL. If the problem fixed, then the output of the test should include a row similar to this: “This server is not vulnerable to the Heartbleed attack. (Experimental)”.
If you have Managed System Administration services with Signetique, we have already scheduled an upgrade for you. If you do not have this service and would like us to assist you, please email to firstname.lastname@example.org and we will be happy to discuss this further with you.