The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
Affected Versions:OpenSSL versions 1.0.1 through 1.0.1f (inclusive) and version 1.0.2-beta are vulnerable; branches 1.0.0 and 0.9.8 are not vulnerable.
1. Update Operating SystemOn Ubuntu and Debian, you can update by typing:
2. Checking OpenSSL Version Numbers
You should check your version of OpenSSL after you have updated your system
While OpenSSL version 1.0.1g is the official fix of this problem, the version that fixes this for different distributions and releases may vary. Some releases and distributions patched their older versions to fix the problem, rather than releasing an entirely new version into an older, stable ecosystem.
Because of this reason, it is best to check through your distribution's packaging system, since the openssl version command might not reflect the information we need.
Debian and Ubuntu Releases and Fix VersionsFor Debian and Ubuntu systems, you get the current version of your OpenSSL package by typing:
CentOS and Fedora Releases and Fix VersionsFor CentOS and Fedora systems, you can query the version of the OpenSSL package installed on your system by typing:
3. Revoking and Reissuing your SSL Certs/KeysIf you have purchased an SSL certificate from a provider and you have updated your OpenSSL packages on your server, you will need to revoke your old keys and you'll have to reissue new keys. This is a process known as "rekeying". This process is very dependent upon the SSL service that issued your initial certificate, but you should search their administration interface for an option that is similar to "rekey" or "reissue keys". Most SSL issuers will revoke your former key when you rekey, but you can usually also do this explicitly using their administrative interface. Follow the directions that your SSL provider gives you. They may give you very specific instructions for how to regenerate a CSR, or they may not.
On Debian or Ubuntu, you can restart your web server by typing:sudo service apache2 restart # For Apache web server
On CentOS or Fedora, you can restart by typing:sudo service httpd restart # For Apache web server
4. Additional Considerations from a Client's PerspectiveBecause of the widespread nature of this bug, there are other considerations that you should take into account as well. As a consumer of web services and sites, you should also react quickly to try to minimize the potential damage to your accounts and information.