To anyone still getting warnings from Test your server for Heartbleed (CVE-2014-0160) simply try rebooting your server, most OS vendors have released a patch by now but it doesn't take affect until your server is restarted.
A reboot is not strictly necessary, because you can simply restart each service that uses OpenSSL, but you may find rebooting to be more convenient than restarting each service one by one.
Not working for me. Already tried whm > software > update system software and update server software. Both had no updates.
[email protected] [~]# cat /etc/redhat-release
CloudLinux Server release 6.5 (Pavel Popovich)
[email protected] [~]# yum update openssl
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
Setting up Update Process
No Packages marked for Update
[email protected] [~]# rpm -qi openssl
Name : openssl Relocations: (not relocatable)
Version : 1.0.1e Vendor: CloudLinux
Release : 16.el6_5 Build Date: Wed 04 Dec 2013 06:14:22 AM CST
Install Date: Thu 05 Dec 2013 01:37:11 AM CST Build Host: koji.cloudlinux.com
ro[email protected] [~]# rpm -qa |grep openssl
openssl-1.0.1e-16.el6_5.x86_64
openssl-devel-1.0.1e-16.el6_5.x86_64
Also, I'm getting conflicting results between these two tools for the same domains/ports:
http://filippo.io/Heartbleed/
http://rehmann.co/projects/heartbeat/
[email protected] [~]# cat /etc/redhat-release
CloudLinux Server release 6.5 (Pavel Popovich)
[email protected] [~]# yum update openssl
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
Setting up Update Process
No Packages marked for Update
[email protected] [~]# rpm -qi openssl
Name : openssl Relocations: (not relocatable)
Version : 1.0.1e Vendor: CloudLinux
Release : 16.el6_5 Build Date: Wed 04 Dec 2013 06:14:22 AM CST
Install Date: Thu 05 Dec 2013 01:37:11 AM CST Build Host: koji.cloudlinux.com
ro[email protected] [~]# rpm -qa |grep openssl
openssl-1.0.1e-16.el6_5.x86_64
openssl-devel-1.0.1e-16.el6_5.x86_64
Also, I'm getting conflicting results between these two tools for the same domains/ports:
http://filippo.io/Heartbleed/
http://rehmann.co/projects/heartbeat/
Last edited:
I've updated openssl but even after a reboot, php info shows OpenSSL Library Version OpenSSL 1.0.1e-fips 11 Feb 2013 is this correct?
rpm -q --changelog openssl-1.0.1e|head
* Mon Apr 07 2014 Tomáš Mráz <[email protected]> 1.0.1e-16.7
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
* Tue Jan 07 2014 Tomáš Mráz <[email protected]> 1.0.1e-16.4
- fix CVE-2013-4353 - Invalid TLS handshake crash
* Mon Jan 06 2014 Tomáš Mráz <[email protected]> 1.0.1e-16.3
- fix CVE-2013-6450 - possible MiTM attack on DTLS1
* Fri Dec 20 2013 Tomáš Mráz <[email protected]> 1.0.1e-16.2
rpm -q --changelog openssl-1.0.1e|head
* Mon Apr 07 2014 Tomáš Mráz <[email protected]> 1.0.1e-16.7
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
* Tue Jan 07 2014 Tomáš Mráz <[email protected]> 1.0.1e-16.4
- fix CVE-2013-4353 - Invalid TLS handshake crash
* Mon Jan 06 2014 Tomáš Mráz <[email protected]> 1.0.1e-16.3
- fix CVE-2013-6450 - possible MiTM attack on DTLS1
* Fri Dec 20 2013 Tomáš Mráz <[email protected]> 1.0.1e-16.2
Yes, the output you provided indicates the patch has been applied:
The RPM is patched, so you won't necessarily see a new version. Instead, you will see the CVE listed in the RPM change log.
Thank you.
Please run the following command:
Code:
rpm -q --changelog openssl-1.0.1e | grep -B 1 CVE-2014-0160Thank you.
divemasterza
Active Member
Just a bit of heads up: In my case Apachebooster compiles a version of nginx vulnerable to HeartBleed Bug.
Temporarily removing Apachebooster until fix is my only solution.
Temporarily removing Apachebooster until fix is my only solution.
cPanel does not distribute OpenSSL packages. The OpenSSL packages and updates for them originate from your OS vendor and applicable YUM/RPM repositories. The mirror addresses may vary depending on your OS distribution and YUM configuration.
so to confirm...
this means my system is NOT vulnerable?
Its very confusing!
this means my system is NOT vulnerable?
If I go to the heartbleed site it still says I am vulnerable.
Its very confusing!
Run this command:
Code:
rpm -q --changelog openssl | grep -B 1 CVE-2014-0160Thank you.
You can check exact version with:
Answer for RHEL 6/Centos 6 should be:Code:rpm -qa |grep openssl
Hello :Code:openssl-1.0.1e-16.el6_5.7.x86_64 openssl-devel-1.0.1e-16.el6_5.7.x86_64
if i check using the above command and i get exactly that answer.. that means my servers are OK and i not need any upgrade?
Thanks
Fabian
Please see my previous post to this thread. While yes, newer versions should include the patch, you can verify this with a command such as:
Thanks.
Code:
rpm -q --changelog openssl | grep -B 1 CVE-2014-0160Hello Michael
one of my servers :
[~]# openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
and :
[~]# rpm -q --changelog openssl | grep -B 1 CVE-2014-0160
nothing display after that command
also :
[~]# yum update openssl
Excluding Packages in global exclude list
Finished
Setting up Update Process
No Packages marked for Update
??
Fabian
one of my servers :
[~]# openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
and :
[~]# rpm -q --changelog openssl | grep -B 1 CVE-2014-0160
nothing display after that command
also :
[~]# yum update openssl
Excluding Packages in global exclude list
Finished
Setting up Update Process
No Packages marked for Update
??
Fabian
RHEL/CentOS 5 servers which are using the OpenSSL 0.9.8 RPM included in the official OS repositories are not vulnerable since they are using an older version of OpenSSL that never contained this vulnerability.
Is a graceful server reboot via WHM sufficient? I have done it and checked that the vulnerability is gone and it appears to have gone now. But is a graceful server reboot enough to restart all the effected services?
Also is there a list of vulnerable ports available that I can test?
Finally, after that is done I believe I still need to re-issue SSL certificates? Including service SSl certificates just to be safe?
Then once that is done finally change passwords?
Just want to be clear on this. Thanks
Also is there a list of vulnerable ports available that I can test?
Finally, after that is done I believe I still need to re-issue SSL certificates? Including service SSl certificates just to be safe?
Then once that is done finally change passwords?
Just want to be clear on this. Thanks
Yes. A reboot is still a reboot, and in doing so restarts all services.
A list of ports will vary based on what all you have running on your server; you can manually check via command-line which ports services are listening on and test those. Try lsof and netstat via CLI as root.
Code:
man lsof
man netstatYes; I believe it is a very good idea to change passwords and create new keys to then re-issue SSL certificates.
Before i read this thread i just grep the openssl 1.0.1g from openssl, compile it and install it
then i restart apache, it is working well now.
Although i know cpanel will not recommand this , as this can break things down, but it is hard for us to update cpanel anyway, as we have many customer on the server.
then i restart apache, it is working well now.
Although i know cpanel will not recommand this , as this can break things down, but it is hard for us to update cpanel anyway, as we have many customer on the server.
Just run 'yum -y update' as normal, reboot.
Then check for the updated changelog with "rpm -q --changelog openssl | grep -B 1 CVE-2014-0160"
