In the last few days a serious bug, nicknamed Heartbleed, has been found in the cryptographic software library OpenSSL.
This bug allows any ill-intentioned hacker to read the memory of the systems with the vulnerable versions of the OpenSSL software installed; with this kind of access an attacker can read the secret keys used to encrypt the traffic to the server including the usernames and passwords of the users and the actual content.
Fortunately only the 1.0.1 series (up to 1.0.1f) and 1.0.2-beta series (up to 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug.
An important WARNING first: this guide only cover the update of the OpenSSL package on the assumption that the Heartbleed bug has not been exploited yet on your server. Due to the innumerable configurations and security requirements a server can have, I cannot provide a proper way to scrutiny your system and eventually handle the security breach; for this you have to formulate a customized plan with your system/network administrator(s) and eventually your service providers.
If your server is managed by a third-party service provider, you can use this Heartbleed test to find if the server is vulnerable and if so, contact your provider IMMEDIATELY and pretend the installation of the OpenSSL update (fortunately, the biggest service providers have already implemented the fix by their own). Once the update is installed, you have to change your, and any other eventual users, password to the server.
If you manage your server yourself, you have to log to the server and update the OpenSSL package manually.
For Debian, Ubuntu and derivatives, use the following commands:
sudo apt-get update
sudo apt-get install openssl
For Red Hat, Fedora and derivatives:
yum list updates
yum update openssl
For Gentoo and derivatives:
su
emerge --sync
emerge --ask dev-libs/openssl
For any other distribution you have to find the specific commands for the native package manager, but the principle is the same:
- update the cached list of available packages;
- install the OpenSSL package.
Even in this case, once the OpenSSL package is updated you have to change your, and any other eventual users, password to the server.