The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

OpenSSL Heartbleed Bug (< 1.0.1g) - Encryption keys at risk

Discussion in 'Security' started by bouvrie, Apr 8, 2014.

  1. bouvrie

    bouvrie Active Member

    Joined:
    Apr 6, 2012
    Messages:
    28
    Likes Received:
    5
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Mod Note -
    Official Response by the cPanel Security Team has been posted to the cPanel Blog:

    Heartbleed Vulnerability Information - cPanel Blog




    [HR][/HR]

    Hi everyone. Any news on when OpenSSL 1.0.1g will be made available / pushed for us? Current version is 1.0.1e and that version is vulnerable to the OpenSSL Heartbleed bug.

    Source. Test for vulnerability here.

    What is being leaked?
    Encryption is used to protect secrets that may harm your privacy or security if they leak. In order to coordinate recovery from this bug we have classified the compromised secrets to four categories:
    1. primary key material,
    2. secondary key material and
    3. protected content and
    4. collateral.
    What is leaked primary key material and how to recover?
    These are the crown jewels, the encryption keys themselves. Leaked secret keys allows the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will. Any protection given by the encryption and the signatures in the X.509 certificates can be bypassed. Recovery from this leak requires patching the vulnerability, revocation of the compromised keys and reissuing and redistributing new keys. Even doing all this will still leave any traffic intercepted by the attacker in the past still vulnerable to decryption. All this has to be done by the owners of the services.

    What is leaked secondary key material and how to recover?
    These are for example the user credentials (user names and passwords) used in the vulnerable services. Recovery from this leaks requires owners of the service first to restore trust to the service according to steps described above. After this users can start changing their passwords and possible encryption keys according to the instructions from the owners of the services that have been compromised. All session keys and session cookies should be invalided and considered compromised.

    What is leaked protected content and how to recover?
    This is the actual content handled by the vulnerable services. It may be personal or financial details, private communication such as emails or instant messages, documents or anything seen worth protecting by encryption. Only owners of the services will be able to estimate the likelihood what has been leaked and they should notify their users accordingly. Most important thing is to restore trust to the primary and secondary key material as described above. Only this enables safe use of the compromised services in the future.

    What is leaked collateral and how to recover?
    Leaked collateral are other details that have been exposed to the attacker in the leaked memory content. These may contain technical details such as memory addresses and security measures such as canaries used to protect against overflow attacks. These have only contemporary value and will lose their value to the attacker when OpenSSL has been upgraded to a fixed version.
     
    #1 bouvrie, Apr 8, 2014
    Last edited by a moderator: Apr 10, 2014
    MaraBlue likes this.
  2. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    346
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    Looks like there is a CentOS / Redhat release of a patched version https://rhn.redhat.com/errata/RHSA-2014-0376.html

    Does anyone know if it's necessary to actually rebuild apache, or is a restart sufficient?

    Edit: am aware of the note below, but as we aren't using the os provided httpd

     
    #2 ThinIce, Apr 8, 2014
    Last edited: Apr 8, 2014
  3. serlex

    serlex Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    6
    Any way to reset cpanel certificates via SSH? this is a problem when resetting over 1k servers :)
     
  4. semseoymas

    semseoymas Member

    Joined:
    Oct 22, 2013
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    With WHM 11.42.0 (build 19) in my case, it seems WHM/cpanel need to be fixed...

    Test your server for Heartbleed (CVE-2014-0160)

    Just test your server using :port

    I do not know what to say about apache/nginx listening at 443... updated libssl with yum, and restarted, but Apache already vulnerable. If compiling again would fix?

    There is not a quick solution instead of needing to recompile apache at every machine?

    Thanks.
     
    #4 semseoymas, Apr 8, 2014
    Last edited: Apr 8, 2014
  5. bouvrie

    bouvrie Active Member

    Joined:
    Apr 6, 2012
    Messages:
    28
    Likes Received:
    5
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    On WHM 11.42.0 (build 23) HTTPS (SSL) is vulnerable on port :443. WHM port :2087 is also vulnerable.
     
  6. jacobcolton

    jacobcolton Member

    Joined:
    Jan 27, 2005
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Yum updates don't seem to be fixing it, just recompiling at the moment seems to resolve it.
     
  7. bouvrie

    bouvrie Active Member

    Joined:
    Apr 6, 2012
    Messages:
    28
    Likes Received:
    5
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Please be so kind to publish how to recompile.
     
  8. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    346
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    From what I can see, with regards cPanel itself on CentOS or RHEL, yum update to install the updated packages, then restart all affected services linked to openssl or if you aren't sure, reboot.

    Others have said above that apache needs to be recompiled, in the absence of a post from cPanel, do that as normal through easyapache after you have the new package.

    EDIT - recompile of apache shouldn't be necessary, but a complete restart (i.e. a full stop of all apache processes) will be necessary - graceful restart not enough

    What you do after that is just as interesting. This according to the write up has been a potential for exploitation for a while and successful exploitation would leave no log trace. As such it seems a fair bit of regenerating of keys / ssl certs and then changing any details (like passwords) they have protected may be appropriate. It seems we might have a bit of a rabbit hole job :p
     
    #8 ThinIce, Apr 8, 2014
    Last edited: Apr 8, 2014
  9. jerrybell

    jerrybell Well-Known Member

    Joined:
    Nov 27, 2006
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    Re: OpenSSL Heartbleed Bug (&lt; 1.0.1g) - Encryption keys at risk

    The issue is that CentOS, at least with the repos that Cpanel uses, does not yet contain the updates library. Yum update finds nothing to update.

    This bug is turning out to be quite bad. There are demonstrations where usernames and plaintext passwords are being pulled off of web servers. Once updated, it might be a good idea to reset passwords in addition to certs.

    Hopefully updated libraries will be pushed out for centos soon.

    - - - Updated - - -

    As it turns out, an OpenSSL update was automatically applied last night. It looks like the 1.01e lib was just recompiled (probably with heartbeat disabled). I was thrown off because the vulnerable version number was appearing, however looking at the files for OpenSSL clearly shows it was updated. When I restarted apache, it was no longer vulnerable.
     
  10. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,447
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    WHM » Software » Update System Software
    Code:
    checkyum version 21.1
    Loaded plugins: fastestmirror, rhnplugin, security
    Loading mirror speeds from cached hostfile
     * cloudlinux-x86_64-server-6: xmlrpc.cln.cloudlinux.com
    Setting up Update Process
    Resolving Dependencies
    --> Running transaction check
    ---> Package krb5-devel.x86_64 0:1.10.3-10.el6_4.6 will be updated
    ---> Package krb5-devel.x86_64 0:1.10.3-15.el6_5.1 will be an update
    ---> Package krb5-libs.x86_64 0:1.10.3-10.el6_4.6 will be updated
    ---> Package krb5-libs.x86_64 0:1.10.3-15.el6_5.1 will be an update
    ---> Package openssl.x86_64 0:1.0.1e-16.el6_5.4 will be updated
    ---> Package openssl.x86_64 0:1.0.1e-16.el6_5.7 will be an update
    ---> Package openssl-devel.x86_64 0:1.0.1e-16.el6_5.4 will be updated
    ---> Package openssl-devel.x86_64 0:1.0.1e-16.el6_5.7 will be an update
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ================================================================================
     Package        Arch    Version               Repository                   Size
    ================================================================================
    Updating:
     krb5-devel     x86_64  1.10.3-15.el6_5.1     cloudlinux-x86_64-server-6  494 k
     krb5-libs      x86_64  1.10.3-15.el6_5.1     cloudlinux-x86_64-server-6  760 k
     openssl        x86_64  1.0.1e-16.el6_5.7     cloudlinux-x86_64-server-6  1.5 M
     openssl-devel  x86_64  1.0.1e-16.el6_5.7     cloudlinux-x86_64-server-6  1.2 M
    
    Transaction Summary
    ================================================================================
    Upgrade       4 Package(s)
    
    Total download size: 3.9 M
    Downloading Packages:
    --------------------------------------------------------------------------------
    Total                                           1.8 MB/s | 3.9 MB     00:02     
    Running rpm_check_debug
    Running Transaction Test
    Transaction Test Succeeded
    Running Transaction
    
      Updating   : krb5-libs-1.10.3-15.el6_5.1.x86_64                           1/8 
    
      Updating   : openssl-1.0.1e-16.el6_5.7.x86_64                             2/8 
    
      Updating   : krb5-devel-1.10.3-15.el6_5.1.x86_64                          3/8 
    
      Updating   : openssl-devel-1.0.1e-16.el6_5.7.x86_64                       4/8 
    
      Cleanup    : openssl-devel-1.0.1e-16.el6_5.4.x86_64                       5/8 
    
      Cleanup    : krb5-devel-1.10.3-10.el6_4.6.x86_64                          6/8 
    
      Cleanup    : openssl-1.0.1e-16.el6_5.4.x86_64                             7/8 
    
      Cleanup    : krb5-libs-1.10.3-10.el6_4.6.x86_64                           8/8 
    
      Verifying  : openssl-devel-1.0.1e-16.el6_5.7.x86_64                       1/8 
    
      Verifying  : krb5-libs-1.10.3-15.el6_5.1.x86_64                           2/8 
    
      Verifying  : openssl-1.0.1e-16.el6_5.7.x86_64                             3/8 
    
      Verifying  : krb5-devel-1.10.3-15.el6_5.1.x86_64                          4/8 
    
      Verifying  : openssl-1.0.1e-16.el6_5.4.x86_64                             5/8 
    
      Verifying  : openssl-devel-1.0.1e-16.el6_5.4.x86_64                       6/8 
    
      Verifying  : krb5-libs-1.10.3-10.el6_4.6.x86_64                           7/8 
    
      Verifying  : krb5-devel-1.10.3-10.el6_4.6.x86_64                          8/8 
    
    Updated:
      krb5-devel.x86_64 0:1.10.3-15.el6_5.1                                         
      krb5-libs.x86_64 0:1.10.3-15.el6_5.1                                          
      openssl.x86_64 0:1.0.1e-16.el6_5.7                                            
      openssl-devel.x86_64 0:1.0.1e-16.el6_5.7                                      
    
    Complete!
    checkyum version 21.1
    
     
    MaraBlue likes this.
  11. bouvrie

    bouvrie Active Member

    Joined:
    Apr 6, 2012
    Messages:
    28
    Likes Received:
    5
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    How about your WHM SSL port ( 2087 ) - that one is still vulnerable, the tester reports...
     
  12. jerrybell

    jerrybell Well-Known Member

    Joined:
    Nov 27, 2006
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    I had to restart cpanel, but once I did, all the cpanel ports show not vulnerable.
     
  13. Guile

    Guile Well-Known Member

    Joined:
    Apr 25, 2003
    Messages:
    81
    Likes Received:
    0
    Trophy Points:
    6
    WHM » Software » Update System Software only showed the following:

     
  14. mahinder

    mahinder Well-Known Member

    Joined:
    Jun 12, 2003
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    matrix
    Yes, After rebooting the server, services are not shown as vulnerable. Restart the service or just reboot the server.
     
    #14 mahinder, Apr 8, 2014
    Last edited: Apr 8, 2014
  15. Jorel

    Jorel Well-Known Member

    Joined:
    Aug 15, 2003
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    Code:
    checkyum version 21.1
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
     * base: centos.mirrors.atwab.net
     * extras: less.cogeco.net
     * updates: www.cubiculestudio.com
    Setting up Update Process
    Resolving Dependencies
    --> Running transaction check
    ---> Package atk.x86_64 0:1.28.0-2.el6 will be updated
    ---> Package atk.x86_64 0:1.30.0-1.el6 will be an update
    ---> Package bash.x86_64 0:4.1.2-14.el6 will be updated
    ---> Package bash.x86_64 0:4.1.2-15.el6_4 will be an update
    ---> Package bind.x86_64 32:9.8.2-0.17.rc1.el6_4.4 will be updated
    ---> Package bind.x86_64 32:9.8.2-0.23.rc1.el6_5.1 will be an update
    ---> Package bind-devel.x86_64 32:9.8.2-0.17.rc1.el6_4.4 will be updated
    ---> Package bind-devel.x86_64 32:9.8.2-0.23.rc1.el6_5.1 will be an update
    ---> Package bind-libs.x86_64 32:9.8.2-0.17.rc1.el6_4.4 will be updated
    ---> Package bind-libs.x86_64 32:9.8.2-0.23.rc1.el6_5.1 will be an update
    ---> Package bind-utils.x86_64 32:9.8.2-0.17.rc1.el6_4.4 will be updated
    ---> Package bind-utils.x86_64 32:9.8.2-0.23.rc1.el6_5.1 will be an update
    ---> Package ca-certificates.noarch 0:2010.63-3.el6_1.5 will be updated
    ---> Package ca-certificates.noarch 0:2013.1.95-65.1.el6_5 will be an update
    --> Processing Dependency: p11-kit-trust >= 0.18.4-2 for package: ca-certificates-2013.1.95-65.1.el6_5.noarch
    --> Processing Dependency: p11-kit >= 0.18.4-2 for package: ca-certificates-2013.1.95-65.1.el6_5.noarch
    ---> Package centos-release.x86_64 0:6-4.el6.centos.10 will be updated
    ---> Package centos-release.x86_64 0:6-5.el6.centos.11.2 will be an update
    ---> Package chkconfig.x86_64 0:1.3.49.3-2.el6 will be updated
    ---> Package chkconfig.x86_64 0:1.3.49.3-2.el6_4.1 will be an update
    ---> Package coreutils.x86_64 0:8.4-31.el6 will be updated
    ---> Package coreutils.x86_64 0:8.4-31.el6_5.1 will be an update
    ---> Package coreutils-libs.x86_64 0:8.4-31.el6 will be updated
    ---> Package coreutils-libs.x86_64 0:8.4-31.el6_5.1 will be an update
    ---> Package cronie.x86_64 0:1.4.4-7.el6 will be updated
    ---> Package cronie.x86_64 0:1.4.4-12.el6 will be an update
    ---> Package cronie-anacron.x86_64 0:1.4.4-7.el6 will be updated
    ---> Package cronie-anacron.x86_64 0:1.4.4-12.el6 will be an update
    ---> Package cups-libs.x86_64 1:1.4.2-50.el6_4.4 will be updated
    ---> Package cups-libs.x86_64 1:1.4.2-50.el6_4.5 will be an update
    ---> Package curl.x86_64 0:7.19.7-35.el6 will be updated
    ---> Package curl.x86_64 0:7.19.7-37.el6_4 will be an update
    ---> Package cvs.x86_64 0:1.11.23-15.el6 will be updated
    ---> Package cvs.x86_64 0:1.11.23-16.el6 will be an update
    ---> Package db4.x86_64 0:4.7.25-17.el6 will be updated
    ---> Package db4.x86_64 0:4.7.25-18.el6_4 will be an update
    ---> Package db4-cxx.x86_64 0:4.7.25-17.el6 will be updated
    ---> Package db4-cxx.x86_64 0:4.7.25-18.el6_4 will be an update
    ---> Package db4-devel.x86_64 0:4.7.25-17.el6 will be updated
    ---> Package db4-devel.x86_64 0:4.7.25-18.el6_4 will be an update
    ---> Package db4-utils.x86_64 0:4.7.25-17.el6 will be updated
    ---> Package db4-utils.x86_64 0:4.7.25-18.el6_4 will be an update
    ---> Package device-mapper.x86_64 0:1.02.77-9.el6 will be updated
    ---> Package device-mapper.x86_64 0:1.02.79-8.el6 will be an update
    ---> Package device-mapper-event.x86_64 0:1.02.77-9.el6 will be updated
    ---> Package device-mapper-event.x86_64 0:1.02.79-8.el6 will be an update
    ---> Package device-mapper-event-libs.x86_64 0:1.02.77-9.el6 will be updated
    ---> Package device-mapper-event-libs.x86_64 0:1.02.79-8.el6 will be an update
    ---> Package device-mapper-libs.x86_64 0:1.02.77-9.el6 will be updated
    ---> Package device-mapper-libs.x86_64 0:1.02.79-8.el6 will be an update
    ---> Package device-mapper-persistent-data.x86_64 0:0.1.4-1.el6 will be updated
    ---> Package device-mapper-persistent-data.x86_64 0:0.2.8-2.el6 will be an update
    ---> Package dhclient.x86_64 12:4.1.1-34.P1.el6.centos will be updated
    ---> Package dhclient.x86_64 12:4.1.1-38.P1.el6.centos will be an update
    ---> Package dhcp-common.x86_64 12:4.1.1-34.P1.el6.centos will be updated
    ---> Package dhcp-common.x86_64 12:4.1.1-38.P1.el6.centos will be an update
    ---> Package dmidecode.x86_64 1:2.11-2.el6 will be updated
    ---> Package dmidecode.x86_64 1:2.12-5.el6_5 will be an update
    ---> Package efibootmgr.x86_64 0:0.5.4-10.el6 will be updated
    ---> Package efibootmgr.x86_64 0:0.5.4-11.el6 will be an update
    ---> Package ethtool.x86_64 2:3.5-1.el6 will be updated
    ---> Package ethtool.x86_64 2:3.5-1.2.el6_5 will be an update
    ---> Package expect.x86_64 0:5.44.1.15-4.el6 will be updated
    ---> Package expect.x86_64 0:5.44.1.15-5.el6_4 will be an update
    ---> Package ftp.x86_64 0:0.17-53.el6 will be updated
    ---> Package ftp.x86_64 0:0.17-54.el6 will be an update
    ---> Package ghostscript.x86_64 0:8.70-15.el6_4.1 will be updated
    ---> Package ghostscript.x86_64 0:8.70-19.el6 will be an update
    ---> Package glib2.x86_64 0:2.22.5-7.el6 will be updated
    ---> Package glib2.x86_64 0:2.26.1-7.el6_5 will be an update
    --> Processing Dependency: shared-mime-info for package: glib2-2.26.1-7.el6_5.x86_64
    ---> Package gnupg2.x86_64 0:2.0.14-4.el6 will be updated
    ---> Package gnupg2.x86_64 0:2.0.14-6.el6_4 will be an update
    ---> Package gnutls.x86_64 0:2.8.5-10.el6_4.1 will be updated
    ---> Package gnutls.x86_64 0:2.8.5-13.el6_5 will be an update
    ---> Package grep.x86_64 0:2.6.3-3.el6 will be updated
    ---> Package grep.x86_64 0:2.6.3-4.el6_5.1 will be an update
    ---> Package grub.x86_64 1:0.97-81.el6 will be updated
    ---> Package grub.x86_64 1:0.97-83.el6 will be an update
    ---> Package grubby.x86_64 0:7.0.15-3.el6 will be updated
    ---> Package grubby.x86_64 0:7.0.15-5.el6 will be an update
    ---> Package gtk2.x86_64 0:2.18.9-12.el6 will be updated
    ---> Package gtk2.x86_64 0:2.20.1-4.el6 will be an update
    ---> Package gzip.x86_64 0:1.3.12-18.el6 will be updated
    ---> Package gzip.x86_64 0:1.3.12-19.el6_4 will be an update
    ---> Package hwdata.noarch 0:0.233-7.9.el6 will be updated
    ---> Package hwdata.noarch 0:0.233-9.1.el6 will be an update
    ---> Package initscripts.x86_64 0:9.03.38-1.el6.centos.1 will be updated
    ---> Package initscripts.x86_64 0:9.03.40-2.el6.centos.1 will be an update
    ---> Package iproute.x86_64 0:2.6.32-23.el6 will be updated
    ---> Package iproute.x86_64 0:2.6.32-31.el6 will be an update
    ---> Package iptables.x86_64 0:1.4.7-9.el6 will be updated
    ---> Package iptables.x86_64 0:1.4.7-11.el6 will be an update
    ---> Package iptables-ipv6.x86_64 0:1.4.7-9.el6 will be updated
    ---> Package iptables-ipv6.x86_64 0:1.4.7-11.el6 will be an update
    ---> Package iputils.x86_64 0:20071127-16.el6 will be updated
    ---> Package iputils.x86_64 0:20071127-17.el6_4.2 will be an update
    ---> Package irqbalance.x86_64 2:1.0.4-3.el6 will be updated
    ---> Package irqbalance.x86_64 2:1.0.4-8.el6_5 will be an update
    --> Processing Dependency: kernel >= 2.6.32-358.2.1 for package: 2:irqbalance-1.0.4-8.el6_5.x86_64
    ---> Package iw.x86_64 0:0.9.17-4.el6 will be updated
    ---> Package iw.x86_64 0:3.10-1.1.el6 will be an update
    ---> Package kernel-headers.x86_64 0:2.6.32-358.2.1.el6 will be updated
    ---> Package kernel-headers.x86_64 0:2.6.32-431.11.2.el6 will be an update
    ---> Package krb5-devel.x86_64 0:1.10.3-10.el6_4.6 will be updated
    ---> Package krb5-devel.x86_64 0:1.10.3-15.el6_5.1 will be an update
    ---> Package krb5-libs.x86_64 0:1.10.3-10.el6_4.6 will be updated
    ---> Package krb5-libs.x86_64 0:1.10.3-15.el6_5.1 will be an update
    ---> Package libXcursor.x86_64 0:1.1.13-2.el6 will be updated
    ---> Package libXcursor.x86_64 0:1.1.13-6.20130524git8f677eaea.el6 will be an update
    ---> Package libXfont.x86_64 0:1.4.5-2.el6 will be updated
    ---> Package libXfont.x86_64 0:1.4.5-3.el6_5 will be an update
    ---> Package libblkid.x86_64 0:2.17.2-12.9.el6 will be updated
    ---> Package libblkid.x86_64 0:2.17.2-12.14.el6 will be an update
    ---> Package libcgroup.x86_64 0:0.37-7.1.el6 will be updated
    ---> Package libcgroup.x86_64 0:0.40.rc1-5.el6_5.1 will be an update
    ---> Package libcurl.x86_64 0:7.19.7-35.el6 will be updated
    ---> Package libcurl.x86_64 0:7.19.7-37.el6_4 will be an update
    ---> Package libgcj.x86_64 0:4.4.7-3.el6 will be updated
    ---> Package libgcj.x86_64 0:4.4.7-4.el6 will be an update
    ---> Package libgcrypt.x86_64 0:1.4.5-9.el6_2.2 will be updated
    ---> Package libgcrypt.x86_64 0:1.4.5-11.el6_4 will be an update
    ---> Package libnl.x86_64 0:1.1-14.el6 will be updated
    ---> Package libnl.x86_64 0:1.1.4-2.el6 will be an update
    ---> Package libpcap.x86_64 14:1.0.0-6.20091201git117cb5.el6 will be updated
    ---> Package libpcap.x86_64 14:1.4.0-1.20130826git2dbcaa1.el6 will be an update
    ---> Package libselinux.x86_64 0:2.0.94-5.3.el6 will be updated
    ---> Package libselinux.x86_64 0:2.0.94-5.3.el6_4.1 will be an update
    ---> Package libselinux-devel.x86_64 0:2.0.94-5.3.el6 will be updated
    ---> Package libselinux-devel.x86_64 0:2.0.94-5.3.el6_4.1 will be an update
    ---> Package libselinux-utils.x86_64 0:2.0.94-5.3.el6 will be updated
    ---> Package libselinux-utils.x86_64 0:2.0.94-5.3.el6_4.1 will be an update
    ---> Package libtiff.x86_64 0:3.9.4-9.el6_3 will be updated
    ---> Package libtiff.x86_64 0:3.9.4-10.el6_5 will be an update
    ---> Package libtiff-devel.x86_64 0:3.9.4-9.el6_3 will be updated
    ---> Package libtiff-devel.x86_64 0:3.9.4-10.el6_5 will be an update
    ---> Package libudev.x86_64 0:147-2.46.el6 will be updated
    ---> Package libudev.x86_64 0:147-2.51.el6 will be an update
    ---> Package libuuid.x86_64 0:2.17.2-12.9.el6 will be updated
    ---> Package libuuid.x86_64 0:2.17.2-12.14.el6 will be an update
    ---> Package libxml2.x86_64 0:2.7.6-12.el6_4.1 will be updated
    ---> Package libxml2.x86_64 0:2.7.6-14.el6 will be an update
    ---> Package libxml2-devel.x86_64 0:2.7.6-12.el6_4.1 will be updated
    ---> Package libxml2-devel.x86_64 0:2.7.6-14.el6 will be an update
    ---> Package logrotate.x86_64 0:3.7.8-16.el6 will be updated
    ---> Package logrotate.x86_64 0:3.7.8-17.el6 will be an update
    ---> Package lvm2.x86_64 0:2.02.98-9.el6 will be updated
    ---> Package lvm2.x86_64 0:2.02.100-8.el6 will be an update
    ---> Package lvm2-libs.x86_64 0:2.02.98-9.el6 will be updated
    ---> Package lvm2-libs.x86_64 0:2.02.100-8.el6 will be an update
    ---> Package mailx.x86_64 0:12.4-6.el6 will be updated
    ---> Package mailx.x86_64 0:12.4-7.el6 will be an update
    ---> Package man-pages-overrides.noarch 0:6.4.1-1.el6 will be updated
    ---> Package man-pages-overrides.noarch 0:6.5.3-1.el6_5 will be an update
    ---> Package mdadm.x86_64 0:3.2.5-4.el6 will be updated
    ---> Package mdadm.x86_64 0:3.2.6-7.el6 will be an update
    ---> Package module-init-tools.x86_64 0:3.9-21.el6 will be updated
    ---> Package module-init-tools.x86_64 0:3.9-21.el6_4 will be an update
    ---> Package net-snmp.x86_64 1:5.5-44.el6_4.4 will be updated
    ---> Package net-snmp.x86_64 1:5.5-49.el6_5.1 will be an update
    ---> Package net-snmp-devel.x86_64 1:5.5-44.el6_4.4 will be updated
    ---> Package net-snmp-devel.x86_64 1:5.5-49.el6_5.1 will be an update
    ---> Package net-snmp-libs.x86_64 1:5.5-44.el6_4.4 will be updated
    ---> Package net-snmp-libs.x86_64 1:5.5-49.el6_5.1 will be an update
    ---> Package net-snmp-utils.x86_64 1:5.5-44.el6_4.4 will be updated
    ---> Package net-snmp-utils.x86_64 1:5.5-49.el6_5.1 will be an update
    ---> Package nmap.x86_64 2:5.51-2.el6 will be updated
    ---> Package nmap.x86_64 2:5.51-3.el6 will be an update
    ---> Package nspr.x86_64 0:4.9.2-1.el6 will be updated
    ---> Package nspr.x86_64 0:4.10.2-1.el6_5 will be an update
    ---> Package nss.x86_64 0:3.14.0.0-12.el6 will be updated
    ---> Package nss.x86_64 0:3.15.3-6.el6_5 will be an update
    ---> Package nss-softokn.x86_64 0:3.12.9-11.el6 will be updated
    ---> Package nss-softokn.x86_64 0:3.14.3-9.el6 will be an update
    ---> Package nss-softokn-freebl.i686 0:3.12.9-11.el6 will be updated
    ---> Package nss-softokn-freebl.x86_64 0:3.12.9-11.el6 will be updated
    ---> Package nss-softokn-freebl.i686 0:3.14.3-9.el6 will be an update
    ---> Package nss-softokn-freebl.x86_64 0:3.14.3-9.el6 will be an update
    ---> Package nss-sysinit.x86_64 0:3.14.0.0-12.el6 will be updated
    ---> Package nss-sysinit.x86_64 0:3.15.3-6.el6_5 will be an update
    ---> Package nss-tools.x86_64 0:3.14.0.0-12.el6 will be updated
    ---> Package nss-tools.x86_64 0:3.15.3-6.el6_5 will be an update
    ---> Package nss-util.x86_64 0:3.14.0.0-2.el6 will be updated
    ---> Package nss-util.x86_64 0:3.15.3-1.el6_5 will be an update
    ---> Package ntpdate.x86_64 0:4.2.4p8-3.el6.centos will be updated
    ---> Package ntpdate.x86_64 0:4.2.6p5-1.el6.centos will be an update
    ---> Package ntsysv.x86_64 0:1.3.49.3-2.el6 will be updated
    ---> Package ntsysv.x86_64 0:1.3.49.3-2.el6_4.1 will be an update
    ---> Package numactl.x86_64 0:2.0.7-6.el6 will be updated
    ---> Package numactl.x86_64 0:2.0.7-8.el6 will be an update
    ---> Package openldap.x86_64 0:2.4.23-32.el6_4 will be updated
    ---> Package openldap.x86_64 0:2.4.23-34.el6_5.1 will be an update
    ---> Package openssh.x86_64 0:5.3p1-84.1.el6 will be updated
    ---> Package openssh.x86_64 0:5.3p1-94.el6 will be an update
    ---> Package openssh-clients.x86_64 0:5.3p1-84.1.el6 will be updated
    ---> Package openssh-clients.x86_64 0:5.3p1-94.el6 will be an update
    ---> Package openssh-server.x86_64 0:5.3p1-84.1.el6 will be updated
    ---> Package openssh-server.x86_64 0:5.3p1-94.el6 will be an update
    ---> Package openssl.x86_64 0:1.0.1e-16.el6_5.1 will be updated
    ---> Package openssl.x86_64 0:1.0.1e-16.el6_5.7 will be an update
    ---> Package openssl-devel.x86_64 0:1.0.1e-16.el6_5.1 will be updated
    ---> Package openssl-devel.x86_64 0:1.0.1e-16.el6_5.7 will be an update
    ---> Package parted.x86_64 0:2.1-19.el6 will be updated
    ---> Package parted.x86_64 0:2.1-21.el6 will be an update
    ---> Package perl.x86_64 4:5.10.1-130.el6_4 will be updated
    ---> Package perl.x86_64 4:5.10.1-136.el6 will be an update
    ---> Package perl-Archive-Extract.x86_64 1:0.38-130.el6_4 will be updated
    ---> Package perl-Archive-Extract.x86_64 1:0.38-136.el6 will be an update
    ---> Package perl-Archive-Tar.x86_64 0:1.58-130.el6_4 will be updated
    ---> Package perl-Archive-Tar.x86_64 0:1.58-136.el6 will be an update
    ---> Package perl-CPAN.x86_64 0:1.9402-130.el6_4 will be updated
    ---> Package perl-CPAN.x86_64 0:1.9402-136.el6 will be an update
    ---> Package perl-CPANPLUS.x86_64 0:0.88-130.el6_4 will be updated
    ---> Package perl-CPANPLUS.x86_64 0:0.88-136.el6 will be an update
    ---> Package perl-Compress-Raw-Bzip2.x86_64 0:2.020-130.el6_4 will be updated
    ---> Package perl-Compress-Raw-Bzip2.x86_64 0:2.021-136.el6 will be an update
    ---> Package perl-Compress-Raw-Zlib.x86_64 1:2.020-130.el6_4 will be updated
    ---> Package perl-Compress-Raw-Zlib.x86_64 1:2.021-136.el6 will be an update
    ---> Package perl-Compress-Zlib.x86_64 0:2.020-130.el6_4 will be updated
    ---> Package perl-Compress-Zlib.x86_64 0:2.021-136.el6 will be an update
    ---> Package perl-Digest-SHA.x86_64 1:5.47-130.el6_4 will be updated
    ---> Package perl-Digest-SHA.x86_64 1:5.47-136.el6 will be an update
    ---> Package perl-ExtUtils-CBuilder.x86_64 1:0.27-130.el6_4 will be updated
    ---> Package perl-ExtUtils-CBuilder.x86_64 1:0.27-136.el6 will be an update
    ---> Package perl-ExtUtils-Embed.x86_64 0:1.28-130.el6_4 will be updated
    ---> Package perl-ExtUtils-Embed.x86_64 0:1.28-136.el6 will be an update
    ---> Package perl-ExtUtils-MakeMaker.x86_64 0:6.55-130.el6_4 will be updated
    ---> Package perl-ExtUtils-MakeMaker.x86_64 0:6.55-136.el6 will be an update
    ---> Package perl-ExtUtils-ParseXS.x86_64 1:2.2003.0-130.el6_4 will be updated
    ---> Package perl-ExtUtils-ParseXS.x86_64 1:2.2003.0-136.el6 will be an update
    ---> Package perl-File-Fetch.x86_64 0:0.26-130.el6_4 will be updated
    ---> Package perl-File-Fetch.x86_64 0:0.26-136.el6 will be an update
    ---> Package perl-IO-Compress-Base.x86_64 0:2.020-130.el6_4 will be updated
    ---> Package perl-IO-Compress-Base.x86_64 0:2.021-136.el6 will be an update
    ---> Package perl-IO-Compress-Bzip2.x86_64 0:2.020-130.el6_4 will be updated
    ---> Package perl-IO-Compress-Bzip2.x86_64 0:2.021-136.el6 will be an update
    ---> Package perl-IO-Compress-Zlib.x86_64 0:2.020-130.el6_4 will be updated
    ---> Package perl-IO-Compress-Zlib.x86_64 0:2.021-136.el6 will be an update
    ---> Package perl-IO-Zlib.x86_64 1:1.09-130.el6_4 will be updated
    ---> Package perl-IO-Zlib.x86_64 1:1.09-136.el6 will be an update
    ---> Package perl-IPC-Cmd.x86_64 1:0.56-130.el6_4 will be updated
    ---> Package perl-IPC-Cmd.x86_64 1:0.56-136.el6 will be an update
    ---> Package perl-Locale-Maketext-Simple.x86_64 1:0.18-130.el6_4 will be updated
    ---> Package perl-Locale-Maketext-Simple.x86_64 1:0.18-136.el6 will be an update
    ---> Package perl-Log-Message.x86_64 1:0.02-130.el6_4 will be updated
    ---> Package perl-Log-Message.x86_64 1:0.02-136.el6 will be an update
    ---> Package perl-Log-Message-Simple.x86_64 0:0.04-130.el6_4 will be updated
    ---> Package perl-Log-Message-Simple.x86_64 0:0.04-136.el6 will be an update
    ---> Package perl-Module-Build.x86_64 1:0.3500-130.el6_4 will be updated
    ---> Package perl-Module-Build.x86_64 1:0.3500-136.el6 will be an update
    ---> Package perl-Module-CoreList.x86_64 0:2.18-130.el6_4 will be updated
    ---> Package perl-Module-CoreList.x86_64 0:2.18-136.el6 will be an update
    ---> Package perl-Module-Load.x86_64 1:0.16-130.el6_4 will be updated
    ---> Package perl-Module-Load.x86_64 1:0.16-136.el6 will be an update
    ---> Package perl-Module-Load-Conditional.x86_64 0:0.30-130.el6_4 will be updated
    ---> Package perl-Module-Load-Conditional.x86_64 0:0.30-136.el6 will be an update
    ---> Package perl-Module-Loaded.x86_64 1:0.02-130.el6_4 will be updated
    ---> Package perl-Module-Loaded.x86_64 1:0.02-136.el6 will be an update
    ---> Package perl-Module-Pluggable.x86_64 1:3.90-130.el6_4 will be updated
    ---> Package perl-Module-Pluggable.x86_64 1:3.90-136.el6 will be an update
    ---> Package perl-Object-Accessor.x86_64 1:0.34-130.el6_4 will be updated
    ---> Package perl-Object-Accessor.x86_64 1:0.34-136.el6 will be an update
    ---> Package perl-Package-Constants.x86_64 1:0.02-130.el6_4 will be updated
    ---> Package perl-Package-Constants.x86_64 1:0.02-136.el6 will be an update
    ---> Package perl-Params-Check.x86_64 1:0.26-130.el6_4 will be updated
    ---> Package perl-Params-Check.x86_64 1:0.26-136.el6 will be an update
    ---> Package perl-Parse-CPAN-Meta.x86_64 1:1.40-130.el6_4 will be updated
    ---> Package perl-Parse-CPAN-Meta.x86_64 1:1.40-136.el6 will be an update
    ---> Package perl-Pod-Escapes.x86_64 1:1.04-130.el6_4 will be updated
    ---> Package perl-Pod-Escapes.x86_64 1:1.04-136.el6 will be an update
    ---> Package perl-Pod-Simple.x86_64 1:3.13-130.el6_4 will be updated
    ---> Package perl-Pod-Simple.x86_64 1:3.13-136.el6 will be an update
    ---> Package perl-Term-UI.x86_64 0:0.20-130.el6_4 will be updated
    ---> Package perl-Term-UI.x86_64 0:0.20-136.el6 will be an update
    ---> Package perl-Test-Harness.x86_64 0:3.17-130.el6_4 will be updated
    ---> Package perl-Test-Harness.x86_64 0:3.17-136.el6 will be an update
    ---> Package perl-Test-Simple.x86_64 0:0.92-130.el6_4 will be updated
    ---> Package perl-Test-Simple.x86_64 0:0.92-136.el6 will be an update
    ---> Package perl-Time-HiRes.x86_64 4:1.9721-130.el6_4 will be updated
    ---> Package perl-Time-HiRes.x86_64 4:1.9721-136.el6 will be an update
    ---> Package perl-Time-Piece.x86_64 0:1.15-130.el6_4 will be updated
    ---> Package perl-Time-Piece.x86_64 0:1.15-136.el6 will be an update
    ---> Package perl-core.x86_64 0:5.10.1-130.el6_4 will be updated
    ---> Package perl-core.x86_64 0:5.10.1-136.el6 will be an update
    --> Processing Dependency: perl-CGI for package: perl-core-5.10.1-136.el6.x86_64
    ---> Package perl-devel.x86_64 4:5.10.1-130.el6_4 will be updated
    ---> Package perl-devel.x86_64 4:5.10.1-136.el6 will be an update
    ---> Package perl-libs.x86_64 4:5.10.1-130.el6_4 will be updated
    ---> Package perl-libs.x86_64 4:5.10.1-136.el6 will be an update
    ---> Package perl-parent.x86_64 1:0.221-130.el6_4 will be updated
    ---> Package perl-parent.x86_64 1:0.221-136.el6 will be an update
    ---> Package perl-version.x86_64 3:0.77-130.el6_4 will be updated
    ---> Package perl-version.x86_64 3:0.77-136.el6 will be an update
    ---> Package pixman.x86_64 0:0.26.2-5.el6_4 will be updated
    ---> Package pixman.x86_64 0:0.26.2-5.1.el6_5 will be an update
    ---> Package policycoreutils.x86_64 0:2.0.83-19.30.el6 will be updated
    ---> Package policycoreutils.x86_64 0:2.0.83-19.39.el6 will be an update
    ---> Package psmisc.x86_64 0:22.6-15.el6_0.1 will be updated
    ---> Package psmisc.x86_64 0:22.6-19.el6_5 will be an update
    ---> Package python.x86_64 0:2.6.6-36.el6 will be updated
    ---> Package python.x86_64 0:2.6.6-52.el6 will be an update
    ---> Package python-devel.x86_64 0:2.6.6-36.el6 will be updated
    ---> Package python-devel.x86_64 0:2.6.6-52.el6 will be an update
    ---> Package python-ethtool.x86_64 0:0.6-3.el6 will be updated
    ---> Package python-ethtool.x86_64 0:0.6-5.el6 will be an update
    ---> Package python-libs.x86_64 0:2.6.6-36.el6 will be updated
    ---> Package python-libs.x86_64 0:2.6.6-52.el6 will be an update
    ---> Package python-tools.x86_64 0:2.6.6-36.el6 will be updated
    ---> Package python-tools.x86_64 0:2.6.6-52.el6 will be an update
    ---> Package python-urlgrabber.noarch 0:3.9.1-8.el6 will be updated
    ---> Package python-urlgrabber.noarch 0:3.9.1-9.el6 will be an update
    ---> Package quota.x86_64 1:3.17-18.el6 will be updated
    ---> Package quota.x86_64 1:3.17-21.el6_5 will be an update
    ---> Package quota-devel.x86_64 1:3.17-18.el6 will be updated
    ---> Package quota-devel.x86_64 1:3.17-21.el6_5 will be an update
    ---> Package rpm.x86_64 0:4.8.0-32.el6 will be updated
    ---> Package rpm.x86_64 0:4.8.0-37.el6 will be an update
    ---> Package rpm-devel.x86_64 0:4.8.0-32.el6 will be updated
    ---> Package rpm-devel.x86_64 0:4.8.0-37.el6 will be an update
    ---> Package rpm-libs.x86_64 0:4.8.0-32.el6 will be updated
    ---> Package rpm-libs.x86_64 0:4.8.0-37.el6 will be an update
    ---> Package rpm-python.x86_64 0:4.8.0-32.el6 will be updated
    ---> Package rpm-python.x86_64 0:4.8.0-37.el6 will be an update
    ---> Package rsync.x86_64 0:3.0.6-9.el6 will be updated
    ---> Package rsync.x86_64 0:3.0.6-9.el6_4.1 will be an update
    ---> Package rsyslog.x86_64 0:5.8.10-6.el6 will be updated
    ---> Package rsyslog.x86_64 0:5.8.10-8.el6 will be an update
    ---> Package selinux-policy.noarch 0:3.7.19-195.el6_4.3 will be updated
    ---> Package selinux-policy.noarch 0:3.7.19-231.el6_5.1 will be an update
    ---> Package selinux-policy-targeted.noarch 0:3.7.19-195.el6_4.3 will be updated
    ---> Package selinux-policy-targeted.noarch 0:3.7.19-231.el6_5.1 will be an update
    ---> Package setup.noarch 0:2.8.14-20.el6 will be updated
    ---> Package setup.noarch 0:2.8.14-20.el6_4.1 will be an update
    ---> Package setuptool.x86_64 0:1.19.9-3.el6 will be updated
    ---> Package setuptool.x86_64 0:1.19.9-4.el6 will be an update
    ---> Package subversion.x86_64 0:1.6.11-9.el6_4 will be updated
    ---> Package subversion.x86_64 0:1.6.11-10.el6_5 will be an update
    ---> Package sudo.x86_64 0:1.8.6p3-7.el6 will be updated
    ---> Package sudo.x86_64 0:1.8.6p3-12.el6 will be an update
    ---> Package sysstat.x86_64 0:9.0.4-20.el6 will be updated
    ---> Package sysstat.x86_64 0:9.0.4-22.el6 will be an update
    ---> Package sysvinit-tools.x86_64 0:2.87-4.dsf.el6 will be updated
    ---> Package sysvinit-tools.x86_64 0:2.87-5.dsf.el6 will be an update
    ---> Package tkinter.x86_64 0:2.6.6-36.el6 will be updated
    ---> Package tkinter.x86_64 0:2.6.6-52.el6 will be an update
    ---> Package tzdata.noarch 0:2013b-1.el6 will be updated
    ---> Package tzdata.noarch 0:2014b-1.el6 will be an update
    ---> Package udev.x86_64 0:147-2.46.el6 will be updated
    ---> Package udev.x86_64 0:147-2.51.el6 will be an update
    ---> Package upstart.x86_64 0:0.6.5-12.el6 will be updated
    ---> Package upstart.x86_64 0:0.6.5-13.el6_5.3 will be an update
    ---> Package util-linux-ng.x86_64 0:2.17.2-12.9.el6 will be updated
    ---> Package util-linux-ng.x86_64 0:2.17.2-12.14.el6 will be an update
    ---> Package wget.x86_64 0:1.12-1.8.el6 will be updated
    ---> Package wget.x86_64 0:1.12-1.11.el6_5 will be an update
    ---> Package yum.noarch 0:3.2.29-40.el6.centos will be updated
    ---> Package yum.noarch 0:3.2.29-43.el6.centos will be an update
    ---> Package yum-plugin-fastestmirror.noarch 0:1.1.30-14.el6 will be updated
    ---> Package yum-plugin-fastestmirror.noarch 0:1.1.30-17.el6_5 will be an update
    ---> Package yum-utils.noarch 0:1.1.30-14.el6 will be updated
    ---> Package yum-utils.noarch 0:1.1.30-17.el6_5 will be an update
    --> Running transaction check
    ---> Package irqbalance.x86_64 2:1.0.4-8.el6_5 will be an update
    --> Processing Dependency: kernel >= 2.6.32-358.2.1 for package: 2:irqbalance-1.0.4-8.el6_5.x86_64
    ---> Package p11-kit.x86_64 0:0.18.5-2.el6_5.2 will be installed
    ---> Package p11-kit-trust.x86_64 0:0.18.5-2.el6_5.2 will be installed
    ---> Package perl-CGI.x86_64 0:3.51-136.el6 will be installed
    ---> Package shared-mime-info.x86_64 0:0.70-4.el6 will be installed
    --> Finished Dependency Resolution
    Error: Package: 2:irqbalance-1.0.4-8.el6_5.x86_64 (updates)
               Requires: kernel >= 2.6.32-358.2.1
     You could try using --skip-broken to work around the problem
     You could try running: rpm -Va --nofiles --nodigest
    checkyum version 21.1
    
    It looks like this is because I use OVH and they use an annoying custom kernel. Any ideas?
     
  16. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    From shell:
    Code:
    yum update
    to make sure you have the updated openssl packages, then:
    Code:
    /scripts/easyapache
    But if you are unsure about running such a major update to your server you should contact cPanel or an administration company to do it for you.
     
  17. egohost

    egohost Registered

    Joined:
    Apr 8, 2014
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Re: OpenSSL Heartbleed Bug (&lt; 1.0.1g) - Encryption keys at risk

    Currently cPanel on standard RELEASE level is distributed with OpenSSL 1.0.1e-fips 11 Feb 2013
    There are no further updates as far as i can see when using the update options.

    I hope that very soon cPanel will update RELEASE with 1.0.1G or greater, or at least redist with the compile option -DOPENSSL_NO_HEARTBEATS.

    - - - Updated - - -

    There is a full document here: http://heartbleed.com/
     
  18. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    649
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    cPanel Security Team: Heartbleed Vulnerability

    Heartbleed is a serious vulnerability in OpenSSL 1.0.1 through 1.0.1f.

    This vulnerability allows an attacker to read 64 kilobyte chunks of memory from from servers and clients that connect using SSL through a flaw in the OpenSSL’s implementation of the heartbeat extension.

    What does this mean for cPanel servers?

    cPanel & WHM does not provide any copies of the OpenSSL library. The daemons and applications shipped with cPanel & WHM link to the version of OpenSSL provided by the core operating system. RedHat 6, CentOS 6, and CloudLinux 6 provided vulnerable versions of OpenSSL 1.0.1. All three distros have published patched versions of their OpenSSL 1.0.1 RPMs to their mirrors. To update any affected servers, run “yum update” to install the patched version of OpenSSL and restart all SSL-enabled services or reboot the system.

    You can ensure you are updated by running the following command:
    Code:
    # rpm -q --changelog openssl | grep -B 1 CVE-2014-0160
    * Mon Apr 07 2014 Tomáš Mráz 1.0.1e-16.7
    - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
    You should see the information noting the fix to CVE-2014-0160.

    RHEL/CentOS 5 servers, which are using the OpenSSL 0.9.8 RPM included in the official OS repositories, are not vulnerable to the Heartbleed issue since they are using an older version of OpenSSL that never contained this vulnerability.

    What steps do I need to take as an Admin/root of our servers running cPanel & WHM?

    Once the RPM of OpenSSL has been updated you should reset all certificates via the Manage Service SSL Certificates interface in WHM.

    Home » Service Configuration » Manage Service SSL Certificates

    You will need to click the ‘Reset Certificate’ link for each service: FTP, Exim, cPanel/WHM/Webmail Service, and Dovecot or Courier Mail Server.

    You should also check the SSL certificates in the Manage SSL Hosts interface of WHM.

    Home » SSL/TLS » Manage SSL Hosts

    Many Certificate Authorities are helping their customers regenerate SSL certificates at no cost. This may vary and your Certificate Authority should be contacted prior to any actions to ensure the proper procedures are followed.

    Do we need to reset our passwords and regenerate our private and public keys on the server?

    Due to the nature of the vulnerability it is impossible to know what other information, including private keys, passwords, and session ID’s, has been compromised. The attack occurs before a full connection to your server has been made, leaving no indications in any logs that an attack has occurred. It is recommended that you regenerate all SSH keys and reset all passwords across the server.
     
  19. panayot

    panayot Well-Known Member

    Joined:
    Nov 18, 2004
    Messages:
    125
    Likes Received:
    0
    Trophy Points:
    16
    I guess we should change root password if we logged in WHM:2087 before updating OpenSSL?
     
  20. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Try the suggestions in the output from YUM; for example:
    Code:
    yum upgrade --skip-broken
     
Loading...

Share This Page