New SSL Heartbleed Bug A Serious Threat To Server Security!

Hi,

Have a look at this.

http://heartbleed.com/

Looks like everyone needs to patch or update their OpenSSL software, if you are on versions 1.0.1 to 1.0.1f and then make sure to hard restart your server(s).

Debian: Sec Advisory
Ubuntu: Sec Advisory
CentOS: Sec Advisory
Red Hat: Sec Advisory

Scott

 

Um, I am not quite sure what you mean. OpenSSL is a standard part of most Linux OSes and so is automatically installed and running as a service and on an open port (443). So, even if you weren't using SSL (for https connectivity, as I think you are inferring), then your server is most likely still vulnerable. I haven't been able to find an answer on that and my knowledge isn't good enough to be sure.

This is a nice blog about the issue too. You'll notice, there is no mention of "if you don't use https, you are ok."

Even worse, this bug is over 2 years old. So, rotate certs and change all passwords, if you want to be really safe.

Scott

 

Liquidweb, who is my hosting provider sent out an email to all customers saying that they patched the security flaw and rebooted our servers.

 

Yes, but how many people explicitly shut down the SSL service on their server? (Not using https in your website doesn't mean the same. Still not sure we are talking about the same thing.) I'd venture to say, practically nobody.

Edit: then again, if you weren't serving any transactions with SSL, then there would be nothing to exploit.

Scott