OpenSSL Vulnerability

SSL certificates can be compromised using a new vulnerability that shipped on currently supported versions of Debian, Ubuntu, CentOS, Fedora, the BSDs, etc.

Time update your servers, regenerate certs and if you are being rigorous about it, go through the certificate revocation process for your old ones. BUT, be careful that you have available OpenSSL 1.0.1g (or newer, should their be one). Versions previous to 1.0.1 are NOT vulnerable to heartbleed. Though many of these old versions are vulnerable to other bugs, you would not want to update from 1.0.0 for the sole purpose of avoiding heartbleed, if you are only going to land in 1.0.1e, thereby introducing the problem.

Considering the widespread deployment of OpenSSL, it is hard to overstate how common this bug is online.

Creative Commons License
The OpenSSL Vulnerability by Joe Atzberger, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

About Joe Atzberger

Joe Atzberger (atz) is a library hacker in Columbus, Ohio. He worked with Galen at both LibLime and Equinox Software, Inc. as an open source developer on Koha and Evergreen. Joe maintains several modules related to library system integration, including Business::EDI on CPAN and the problematic SIPServer repo on github.

Comments are closed.