What To Do About Heartbleed
The word Heartbleed has been all over the headlines recently. Despite its grim name, though, Heartbleed needn’t give you a heart attack.
Basically, HeartBleed is a bug that’s been developed to take advantage of vulnerabilities in certain versions of OpenSSL software. OpenSSL is used by servers, websites and apps to encrypt the sensitive data that they receive and give out. The Heartbleed bug has found a way of accessing some of this encrypted data.
But there’s no need to stress about it. Firstly, not every server or site has been infected by Heartbleed. We’ve checked our Midphase servers and they have been patched, which means they don’t have a vulnerable version of OpenSSL on them.
Of course, there’s always things you can do to be extra-safe. If you’re using our web hosting or website builder service, you can sleep easy because we’ve patched your products. However, we advise you to up your security anyway by refreshing all the passwords you use with Midphase.
If you run your own server or virtual machine with Midphase, and you have installed OpenSSL yourself, for use with a self-generated or purchased key, then we suggest you update to the latest version of OpenSSL for real peace of mind.
Step 1
Take a look to see if your server is running an unpatched version of OpenSSL. To do this, just log-in to your server and use the following command to see which version you are using.
openssl version -a
The following version is vulnerable…
OpenSSL 1.0.1 through 1.0.1f (inclusive)
While these versions are not…
OpenSSL 1.0.1g
OpenSSL 1.0.0 branch
OpenSSL 0.9.8 branch
CloudLinux OpenSSL 1.0.1e-16el6_5.7
Step 2
If you discover you are using a vulnerable version, you can update using the following commands.
CentOS |
yum check-update yum –y update openssl |
|
Ubuntu |
sudo apt-get update sudo apt-get install openssl |
|
Debian |
sudo apt-get update sudo apt-get install openssl |
|
Fedora |
sudo yum –y install openssl |
Step 3
Now you need to re-check the build date of the OpenSSL, to make sure the update has worked. It should say a date that’s April 7 2014 or later.
Step 4
Once you’re sure the update has gone through, you’ll need to regenerate your secure keys and invalidate the ones you were using before. Once you’ve done this, you can restart your services and carry on as normal.