What’s Heartbleed vulnerability (CVE-2014-0160)?
A serious OpenSSL vulnerability has been found, and is named Heartbleed and it affected all servers running OpenSSL versions from 1.0.01 to 1.0.1f. This vulnerability can be used to get the Private key of a SSL connection, so it is important to update / patch your server immediately. This bug is fixed in OpenSSL version 1.0.1g. All major Linux Distros have already released updates for Hartbleed vulnerability.
How to find out if your server is affected from Openssl Heartbleed vulnerability (CVE-2014-0160)?
Login to your SSH and execute following command to get the installed version number of OpenSSL:
The result should be something like this:
openssl version OpenSSL 1.0.1e 11 Feb 2013
If the version is below 1.0.1g your server might be vulnerable and you should patch it (see how below).
If your server is using a 0.9.8 release like it is used on Debian squeeze, then the server is not vulnerable as the HeartBleed function has been implemented in OpenSSL 1.0.1 and later versions only.
openssl version OpenSSL 0.9.8o 01 Jun 2010
Fixing the Heartbleed vulnerability
CentOS and Fedora:
Ubuntu and Debian:
apt-get update apt-get upgrade
Ok, now what?
After this you should restart all the services using OpenSSL but better idea is to restart the whole server just in case.
You can also verify on following site if you successfully closed the Heartbleed security hole on your server: http://filippo.io/Heartbleed/