HeartBleed
Openssl announced a vulnerability (CVE-2014-0160) in the handling of the TLS heartbeat extension on April 7th, 2014. Version 1.0.1 before 1.0.1g and 1.0.2 before 1.0.2 beta2 are affected, and the bug is fixed in 1.01g and 1.0.2 beta2.
Openssl provids another way beside update is to recompile the package:
For most Enterprise Linux 6.4 and 6.5 administrators, they are still in 1.0.1e and it can be updated to a fixed release 1.0.1e-16.el6_5.7 to avoid the flaw.
yum info openssl
Let's check the server before updating:
[root@test ~]# rpm -q openssl
openssl-1.0.1e-16.el6_5.4
.x86_64
yum info openssl
See what update version we have in repository now:
[root@test ~]# yum info openssl
...
Installed Packages
Name : openssl
Arch : x86_64
Version : 1.0.1e
Release : 16.el6_5.4
Size : 4.0 M
Repo : installed
From repo : updates
Summary : A general purpose cryptography library with TLS implementation
URL : http://www.openssl.org/
License : OpenSSL
Description : The OpenSSL toolkit provides support for secure communications
: between machines. OpenSSL includes a certificate management tool
: and shared libraries which provide various cryptographic
: algorithms and protocols.
Available Packages
Name : openssl
Arch : x86_64
Version : 1.0.1e
Release : 16.el6_5.7
Size : 1.5 M
Repo : updates
Summary : A general purpose cryptography library with TLS implementation
URL : http://www.openssl.org/
License : OpenSSL
Description : The OpenSSL toolkit provides support for secure communications
: between machines. OpenSSL includes a certificate management tool
: and shared libraries which provide various cryptographic
: algorithms and protocols.
OK, there is a fixed release 16.el6_5.7 can be updated.
yum update openssl
[root@test ~]# yum update openssl
...
Complete!
Verify the fixed release.
[root@test ~]# rpm -q openssl
openssl-1.0.1e-16.el6_5.7
.x86_64
Now, we are done. Don't forget to reissue your certificate after that.