OpenSSL Heartbleed Bug (< 1.0.1g) - Encryption keys at risk

[cPanelMichael]

The thread you referenced suggests running EasyApache. Do you notice the same OpenSSL version difference in your phpinfo file after running EasyApache?

Thank you.

 

[avibodha]

Re: OpenSSL Heartbleed Bug (&lt; 1.0.1g) - Encryption keys at risk

Yes I did and it has the same version in phpinfo, Open SSL 1.0.0.
yum update has no updates for it either.

- - - Updated - - -

...but I didn't
# rm -rf /opt/curlssl
as the poster suggested...wanted to hear if that would break anything first.

actually just found out that
OpenSSL 1.0.0 branch is NOT vulnerable, so that's OK for now.

 

[ravijas]

Heartbleed-OpenSSL Vulnerability

Hi,

Maldet is showing following warning regarding heartbleed vulnerability.

ATTENTION !! OpenSSL heartbleed vulnerability detected in openssl-1.0.1e-30.el6_5.2.x86_64 package, run 'yum update -y openssl' and restart server immediately!

We have checked it using following cmd.

# rpm -q --changelog openssl | grep CVE-2014-0224
- fix CVE-2014-0224 fix that broke EAP-FAST session resumption support
- fix CVE-2014-0224 - SSL/TLS MITM vulnerability

So please let us know if there is still any problem with openssl.

More info:

# rpm -qa |grep openssl
openssl-1.0.1e-30.el6_5.2.x86_64
openssl098e-0.9.8e-18.el6_5.2.x86_64
openssl-devel-1.0.1e-30.el6_5.2.x86_64
# arch
x86_64
# cat /etc/redhat-release
CentOS release 6.5 (Final)

Thanks,

RaviJas

 

[Infopro]

Re: Heartbleed-OpenSSL Vulnerability

You may find this blog post useful:
Heartbleed Vulnerability Information - cPanel Blog

 

[eva2000]

it's a false positive with latest openssl for POODLE SSLv3 fix.. test your updated openssl via ssllab test to confirm heartbleed vulnerability https://www.ssllabs.com/ssltest/index.html