To anyone still getting warnings from Test your server for Heartbleed (CVE-2014-0160) simply try rebooting your server, most OS vendors have released a patch by now but it doesn't take affect until your server is restarted.
Yes, the output you provided indicates the patch has been applied:I've updated openssl but even after a reboot, php info shows OpenSSL Library Version OpenSSL 1.0.1e-fips 11 Feb 2013 is this correct?
The RPM is patched, so you won't necessarily see a new version. Instead, you will see the CVE listed in the RPM change log.- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
Please run the following command:Not working for me. Already tried whm > software > update system software and update server software. Both had no updates.
[email protected] [~]# rpm -qa |grep openssl
openssl-1.0.1e-16.el6_5.x86_64
openssl-devel-1.0.1e-16.el6_5.x86_64
rpm -q --changelog openssl-1.0.1e | grep -B 1 CVE-2014-0160
cPanel does not distribute OpenSSL packages. The OpenSSL packages and updates for them originate from your OS vendor and applicable YUM/RPM repositories. The mirror addresses may vary depending on your OS distribution and YUM configuration.Why CPanel is using "mirrors.prometeus.net" as repository?
and why is not updated with latest patch?
Thanks,
Max
If I go to the heartbleed site it still says I am vulnerable.[[email protected] ~]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
Run this command:so to confirm...
this means my system is NOT vulnerable?
[[email protected] ~]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
If I go to the heartbleed site it still says I am vulnerable.
Its very confusing!
rpm -q --changelog openssl | grep -B 1 CVE-2014-0160
You can check exact version with:
Answer for RHEL 6/Centos 6 should be:Code:rpm -qa |grep openssl
Hello :Code:openssl-1.0.1e-16.el6_5.7.x86_64 openssl-devel-1.0.1e-16.el6_5.7.x86_64
if i check using the above command and i get exactly that answer.. that means my servers are OK and i not need any upgrade?
Thanks
Fabian
rpm -q --changelog openssl | grep -B 1 CVE-2014-0160
RHEL/CentOS 5 servers which are using the OpenSSL 0.9.8 RPM included in the official OS repositories are not vulnerable since they are using an older version of OpenSSL that never contained this vulnerability.one of my servers :
[~]# openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
Yes. A reboot is still a reboot, and in doing so restarts all services.Is a graceful server reboot via WHM sufficient? I have done it and checked that the vulnerability is gone and it appears to have gone now. But is a graceful server reboot enough to restart all the effected services?
A list of ports will vary based on what all you have running on your server; you can manually check via command-line which ports services are listening on and test those. Try lsof and netstat via CLI as root.Also is there a list of vulnerable ports available that I can test?
man lsof
man netstat
Yes; I believe it is a very good idea to change passwords and create new keys to then re-issue SSL certificates.Finally, after that is done I believe I still need to re-issue SSL certificates? Including service SSl certificates just to be safe?
Then once that is done finally change passwords?
Just want to be clear on this. Thanks
Just run 'yum -y update' as normal, reboot.Is there any recommended way to patch and verify cPanel DNS Only servers?