A serious vulnerability has been found in OpenSSL, an open source toolkit that implements SSL/TLS protocols and a full strength cryptographic library. Whether you work on CentOS, UNIX, or Linux or any platforms, Heartbleed has influenced all websites that are hosted on OpenSSL.
Note: Heartbleed bug does not compromise SSL security but many security experts give suggestions to regenerate new SSL keys to keep your website safe and updated.
However, many users believe that Heartbleed compromised SSL security, but the fact is that it is not correct at all. It is a programming problem in OpenSSL library. Therefore, we have as a part of Heartbleed fix has suggested some suggestions to fix this serious vulnerability.
Security Solution For Heartbleed
Which OpenSSL versions are vulnerable?
There are operating systems that run OpenSSL older versions, which are at risk. The following versions are potentially vulnerable.
- OpenSSL 1.0.1 through 1.0.1f (inclusive)
- Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
- Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
- CentOS 6.5, OpenSSL 1.0.1e-15
- Fedora 18, OpenSSL 1.0.1e-4
- OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
- FreeBSD 10.0 – OpenSSL 1.0.1e 11 Feb 2013
- NetBSD 5.0.2 (OpenSSL 1.0.1e)
- OpenSUSE 12.2 (OpenSSL 1.0.1c)
However, with the release of OpenSSL version 1.01g, the bug has been fixed now.
How to check versions of OpenSSL?
Many distributions and releases patched their old or latest versions to fix the problem. However, you can check current SSL version of OpenSSL with the openssl version command. It is sensible that you should update your OpenSSL version to the latest 1.0.1g version that fixes the problem of different distributions and its releases.
Because of this reason, you should check via distribution’s packaging system.
Which versions of OpenSSL are safe?
There are below versions related to different operating systems are safe and stable.
- OpenSSL 1.0.1g
- OpenSSL 1.0.0 branch
- OpenSSL 0.9.8 branch
- Debian Squeeze (old stable), OpenSSL 0.9.8o-4squeeze14
- SUSE Linux Enterprise Server
- FreeBSD 8.4 – OpenSSL 0.9.8y 5 Feb 2013
- FreeBSD 9.2 – OpenSSL 0.9.8y 5 Feb 2013
- FreeBSD 10.0p1 – OpenSSL 1.0.1g (At 8 Apr 18:27:46 2014 UTC)
- FreeBSD Ports – OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)
How to download the new version of OpenSSL?
To download the new version of openssl-1.0.1g.tar.gz, you can visit directly https://www.openssl.org/source/ and follow the instructions in the INSTALL text file to assemble the new version locally. After download the new version, restart your services.
Are you victim of Heartbleed?
Do you run your website on the OS like Linux, Ubuntu, CentOS, WHM / Cpanel, etc? Then, the time has come to check your website whether it is infected with Heartbleed bug or not?
You can check your website status with the following website.
