Warning: You are viewing old, legacy content. Kept for posterity. Information is out of date. Code samples probably don't work. My opinions have probably changed. Browse at your own risk.
Apr 8, 2014
Luckily, by this time Ubuntu had released updated packages for OpenSSL, and as most of the servers under my control are running Ubuntu Server, I could easily patch them to remove the vulnerability. The fix for RedHad seemed to take a little bit longer to arrive, but it’s here now.
Patching the vulnerability is just the first step, there’s a lot more work to do to recover from this bug…
###Check OpenSSL version
You need to be running OpenSSL 1.0.1g
Just running this command doesn’t report back full version information. If you check this post you will find further information on what to look for.
If you are on Ubuntu 12.04 the package you are looking for is this one:
But, patching OpenSSL is only a small part of the fix for this bug. The consequences of this are much deeper.
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.
This essentially means that encryption keys, user credentials, and any content handled by the servers could have been exposed. So the following steps are required (see this post):
###Leaves no trace…
It’s also worth noting that exploiting the vulnerability leaves no trace, so there is no way to know if your system, encryption keys, passwords or content has been compromised.
It’s worth doing a general password reset anyway.
Final note, it’s worth pointing out that this doesn’t affect OpenSSH, just OpenSSL, as OpenSSH doesn’t include the broken TLS implementation.