Fix Openssl Heartbleed
The OpenSSL heartbleed bug (CVE-2014-0160) bug allows a hacker to leak the memory in up to 64k chunks. Repetitively trying, he can get crucial information about your system.
The worst a hacker can retrieve are the private keys. Which means now he has the keys to decrypt the encrypted any data. The other information a hacker can get are users' cookies information or even users' username and passwords.
It is crucial to fix this issue to version greater or equal to 1.0.1g. You also have to revoke and regenerate new keys and certificates and re-issuing of CA certs and the like in the coming days.
Version infected
The heartbleed bug was introduced in OpenSSL 1.0.1 and is present in
- 1.0.1
- 1.0.1a
- 1.0.1b
- 1.0.1c
- 1.0.1d
- 1.0.1e
- 1.0.1f
Verify the version
To check the version you can run this command:
openssl version -v openssl version -b
This will output something like this:
OpenSSL 1.0.1 14 Mar 2012 built on: Wed Jan 8 20:45:51 UTC 2014
If the date is older than Mon Apr 7 20:33:29 UTC 2014
and the version is 1.0.1
, then you are vulnerable to the Heart Bleed bug.
Update
Update the repository:
sudo apt-get update
Upgrade the openssl package:
sudo apt-get upgrade openssl libssl-dev apt-cache policy openssl libssl-dev
Verify the version
To check the version you can run this command:
openssl version -b
Now the date will be changed to Apr 7, 2014.
built on: Mon Apr 7 20:31:55 UTC 2014
Install version 1.0.1g
You can install it from source if you prefer. You need to get it from the openssl.org
website:
curl https://www.openssl.org/source/openssl-1.0.1g.tar.gz | tar xz && cd openssl-1.0.1g && sudo ./config && sudo make && sudo make install
Replace old openssl
Now, let's replace the old OpenSSL binary file with the new one.
sudo ln -sf /usr/local/ssl/bin/openssl `which openssl`
Verify version
Verify the version:
openssl version
Will return
OpenSSL 1.0.1g 7 Apr 2014