Not only Linux Users should feel concerned. Passwords of bank accounts, mail accounts and so on could have been compromised, if the server was using a vulnerable OpenSSL Version.
This Bug allows attackers to recover the generated primary and secondary key of a https session (or any other protocol using OpenSSL) used for establishing the connection and transmitting the content. If the keys got recovered any data transmitted can be decrypted and faking the Client/Server would also be possible.
Man-In-The-Middle-Attacks could be used to inject malware to get other private data or infect a client.
It is recommended to change any password that could have been compromised and to use different passwords for each account.
You can check yourself if a server is compromised by using this tool.
vulnerable OpenSSL Versions:
- OpenSSL 1.0.1 and 1.0.1f(inclusive)
afflicted Operating Systems :
- Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
- Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
- CentOS 6.5, OpenSSL 1.0.1e-15
- Fedora 18, OpenSSL 1.0.1e-4
- OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
- FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
- NetBSD 5.0.2 (OpenSSL 1.0.1e)
- OpenSUSE 12.2 (OpenSSL 1.0.1c)
- Android OS Jelly Bean 4.1.1
How to fix this bug:
Update OpenSSL to 1.0.1.g or just pull following commit : https://github.com/openssl/openssl/commit/731f431497f463f3a2a97236fe0187b11c44aead
you could also downgrade to 0.98 or build openssl without the --tls-heartbeat option.
most distributors should already have commited updates to their repositories. Therefor it should be enough to update the regarding SSL packages with your package manager.
add the following repos to your /etc/apt/sources.list :
deb http://security.debian.org/ wheezy/updates main
deb-src http://security.debian.org/ wheezy/updates main
update your packages :
emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.1g"
after updating your packages you need to restart any service using openssl libs and bins
Posted at 2014-04-27 19:42:35 ( updated at 2014-05-02 23:33:42 )