Heartbleed on CentOS
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
See this CVE:
1. Versions of CentOS Linux Impacted
CentOS-2.1, CentOS-3, CentOS-4, CentOS-5, and CentOS-7 are not impacted by the Heartbleed issue.
CentOS-6 versions before CentOS-6.5 were not impacted, as long as default versions of OpenSSL were used.
CentOS-6.5 was impacted from its release on Sunday, December 1st, 2013 at 16:03:27 UTC, until the fixed version of OpenSSL for CentOS-6 (openssl-1.0.1e-16.el6_5.7) was released as an update on Tuesday, April 8th, 2014 at 02:54:58 UTC.
To figure out if your CentOS-6.5 install is impacted, run the command:
rpm -q openssl
The result will be similar to this:
rpm -q openssl openssl-1.0.1e-16.el6_5.15.x86_64
If you are running CentOS-6 and if the result is not at least openssl-1.0.1e-16.el6_5.7 then you are currently vulnerable. (in this example, it is a higher version at openssl-1.0.1e-16.el6_5.15, so this machine is not currently vulnerable).
2. Mitigation on CentOS-6.5 if a Machine was Ever Vulnerable
If a machine was vulnerable at any time, then the machine should be mitigated by verifying you now have a non vulnerable version of openssl and then following the steps in this guide:
3. More Info
4. CentOS Announce List
All CentOS security updates are released via the CentOS Announce Mailing list, so if you want to know when an update is released then subscribing to the mailing list is the way to get it as soon as it is released.