Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [heartbleed]

The Heartbleed bug is a vulnerability in OpenSSL's TLS implementation. The CVE ID for this issue is CVE-2014-0160

The Heartbleed vulnerability allows stealing the information which is protected by SSL/TLS encryption, as well as potential disclosure of private keys.

Any application using OpenSSL for its TLS implementation is potentially vulnerable, which means there is large variety of vulnerable applications such as Web browsers, Email clients and Instant Messaging softare.

See http://heartbleed.com or CVE-2014-0160 for more information.

63 questions
4
votes
2 answers

debian wheezy, heartbleed, openssl refuses to update

I am having a strange problem, my system is exposed to heartbleed, and I am trying to fix it by using: apt-get clean, apt-get update and apt-get upgrade openssl but the response is: Reading package lists... Done Building dependency tree Reading…
Wazime
  • 421
  • 4
  • 10
4
votes
2 answers

Server still vulnerable to HeartBleed after Openssl update

On a Centos 6.5 Minimal install, I have compiled Apache, PHP, and rpm installed Percona. After updating OpenSSL days ago, my site that uses SSL on this server is vulnerable to Heartbleed somehow. My Apache binary doesn't show that it is using…
DevOops
  • 305
  • 4
  • 13
4
votes
2 answers

Is OpenVPN UDP vulnerable to heartbleed?

Is OpenVPN UDP vulnerable to heartbleed? I need to decide if I'm going to rebuild some servers, but they are very carefully firewalled; 1194/TCP is one of the firewalled ports (yay whitelist!). 1194/UDP is used (mission critical).
AMADANON Inc.
  • 129
  • 5
4
votes
1 answer

How can I check if certificates generated with openssl are vulnerable to heartbleed

I am aware that you can show the version of openssl you are using by typing the following at the command line "openssl version". I created a certificate and a key some time ago with similar names to server.cer and server.key. The problem I have is…
user1153199
  • 191
  • 1
  • 1
  • 5
4
votes
1 answer

Heartbleed, which specific services must be restarted?

Trying to figure out exactly what services should be restarted after patching openssl against Heartbleed. At least one post mentions restarting: sshd, apache, nginx, postfix, dovecot, courier, pure-ftpd, bind, mysql Is there a command that can be…
xref
  • 273
  • 2
  • 14
3
votes
1 answer

Windows 2003 heartbleed bug openssl fix

As recommended by openssl.org I'm trying to update OpenSSL from 1.0.1e to 1.0.1g. Fixes for most linux distributions have already deployed, but, what should be done on windows? we are using win server 2003 x64; OpenSSL 1.0.1e was installed using…
user3516387
  • 31
  • 1
  • 3
2
votes
1 answer

HeartBleed Openssl update Redhat Enterprise server 6.3

I already update using yum update openssl but still my server is vulnerable. Tried grep 'libssl.*(deleted)' /proc/*/maps and no result as I already restarted the server. Yet, it is still vulnerable. $ rpm -qa | grep…
iceiceice
  • 21
  • 2
2
votes
1 answer

Switch the SSL provider after Heartbleed bug instead of revoking

I have a question regarding the Heartbleed problem and the SSL certificates. About Heartbleed many people say that admins should revoke their certificates and get new ones. I got my SSL certs from Startcom and as you may know they charge for…
Kevin Woblick
  • 165
  • 6
2
votes
1 answer

How to reset self-signed keys that allow remote shell access to server in (Debian) linux

This is not something I've ever had to do before, and in light of the heartbleed bug I've been looking for a guide of how to do it properly, but all I can find are guides on how to log into a server with a certificate instead of a password (but…
lightsurge
  • 23
  • 2
2
votes
1 answer

Heartbleed vulnerability when SSL provided by unaffected servers?

*I'd like to ask about two scenarios where a vulnerable version of OpenSSL is installed on a server, but that server is not providing SSL services. Scenario 1: I have an SSL certificate installed on a load balancer, behind which sits a farm of IIS…
Brian Colavito
  • 123
  • 4
2
votes
0 answers

Still vulnerable to Heartbleed after updating and reboot

I'm on Ubuntu 12.04, I have updated openssl with the latest update : $ openssl version -a OpenSSL 1.0.1 14 Mar 2012 built on: Mon Apr 7 20:33:29 UTC 2014 And also updated libssl $ sudo apt-get install libssl1.0.0 Reading package lists...…
Matt
  • 29
  • 1
2
votes
0 answers

Best method to update ubuntu 13.10 to path the HeartBleed bug

So we are running ubuntu 13.10 in production and they have OpenSSL 1.0.1e 11 Feb 2013, which obviously needs to be patched. What's the best way to do it without any downtime? What will happen to the existing connections during the upgrade? Will …
pdeva
  • 2,327
  • 5
  • 17
  • 15
1
vote
1 answer

Can Heartbleed cause a server to crash?

I know about the basic Heartbleed vulnerability and it's consequences and cause. However, I recently read that Heartbleed may cause a server to crash. I am wondering if this statement is true and if so, why is that so. As far as I understand…
dirkk
  • 121
  • 6
1
vote
1 answer

Heartbleed self-test for mailserver

The internet is now inundated by sites like this: https://ssl-tools.net/heartbleed-test Which is great, but these then immediately publish the vulnerable domains. I have a number of private mailservers which may need to be rebuilt -- they were…
goldilocks
  • 197
  • 7
1
vote
3 answers

Open SSL - Is my ubuntu really secure now after dist-upgrade?

I am running a Ubuntu 12.04 server and I just updated the server with (and rebooted afterwards) sudo apt-get dist-upgrade Now the open SSL version sais, it is build on 7 Apr 2014 what is good, but the version seems to be 1.0.1e, which is…
jan
  • 129
  • 9
1
2
3 4 5