Heartbleed on CentOS

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

See this CVE:

Versions of CentOS Linux Impacted

CentOS-2.1, CentOS-3, CentOS-4, CentOS-5, and CentOS-7 are not impacted by the Heartbleed issue.

CentOS-6 versions before CentOS-6.5 were not impacted, as long as default versions of OpenSSL were used.

CentOS-6.5 was impacted from its release on Sunday, December 1st, 2013 at 16:03:27 UTC, until the fixed version of OpenSSL for CentOS-6 (openssl-1.0.1e-16.el6_5.7) was released as an update on Tuesday, April 8th, 2014 at 02:54:58 UTC.

To figure out if your CentOS-6.5 install is impacted, run the command:

rpm -q openssl

The result will be similar to this:

rpm -q openssl

openssl-1.0.1e-16.el6_5.15.x86_64

If you are running CentOS-6 and if the result is not at least openssl-1.0.1e-16.el6_5.7 then you are currently vulnerable. (in this example, it is a higher version at openssl-1.0.1e-16.el6_5.15, so this machine is not currently vulnerable).

Mitigation on CentOS-6.5 if a Machine was Ever Vulnerable

If a machine was vulnerable at any time, then the machine should be mitigated by verifying you now have a non vulnerable version of openssl and then following the steps in this guide:

More Info

CentOS Announce List

All CentOS security updates are released via the CentOS Announce Mailing list, so if you want to know when an update is released then subscribing to the mailing list is the way to get it as soon as it is released.

Security/Heartbleed (last edited 2014-10-07 01:00:47 by TimothyLee)