How to Update Your OpenSSL Version to Fix Heartbleed Bug

Heartbleed, the highly publicized OpenSSL bug with the unfortunate name, has a lot of system administrators scurrying to fix the problem. If you have not heard about it by now, it is a security hole found in OpenSSL’s TLS heartbeat extension that a cyber criminal can use to reveal 64k of memory on a connected client or server. The bug is present in versions 1.0.1 and 1.0.2-beta of OpenSSL. You can fix it by upgrading to 1.0.1g or 1.0.2-beta2.

On a Linux server, you can check your OpenSSL version using your package manager. Depending on your distribution, the procedure will vary.

First, do the following:

# openssl version -a

or

$ sudo openssl version -a

The output will look like:

OpenSSL 1.0.1e 11 Feb 2013

built on: Wed Jan 8 20:58:47 UTC 2014

platform: debian-amd64

To upgrade your Debian-based system, including Ubuntu, run:

$ sudo apt-get dist-upgrade

For Red Hat and CentOS, you would run:

# yum update

If your distribution does not update to a newer version of OpenSSL, you may be running a version that is no longer being updated, or your distribution may not have fixed the problem yet. Moreover, if you have installed OpenSSL manually, you might need to recompile OpenSSL with the “-DOPENSSL_NO_HEARTBEATS” flag.











Comments: