OpenSSL upgrade prevent Heartbleed vulnerability problem

Post an informed answer:

There is also a service that tests whether the Web site is affected: Test your server for Heartbleed (cve-2014-0160) (now long 503)

According to the description on the page, this OpenSSL implementation vulnerability can obtain the sensitive memory data on the host in the handshake phase, even including the SSL certificate private key! The loophole appeared in 2012 and was only recently repaired yesterday (April 7, 2014). To ask the information security professionals who are aware of this vulnerability, what is the scope of its availability and impact? If so, has this 0day been widely used?

Very serious vulnerabilities, involving the opening of the heartbeat extension of the OpenSSL version 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1
Http://www.openssl.org/news/vulnerabilities.html
Just looked at our server (Gentoo), using the 1.0.1c threat version, but we did not open the heartbeat, so it will not be a real threat, but still patched to prepare for a rainy time.
Https://github.com/openssl/openssl/commit/7e840163c06c7692b796a93e3fa85a93136adbb2
If you just want to check that your server is not under threat, now there is a ready-made tool that can be used
Titanous/heartbleeder Lu GitHub
You can also use the following OpenSSL command directly to determine
Expand source

This command only tells you if you have enabled heartbeat, but it does not indicate whether you are under threat, and you need to combine the OpenSSL version to determine.

Hacker News Someone has given this script, can detect the Alexa top million web site to open Heartbeat server
Expand source

Download Alexa top 1,000,000 Websites for free
I wrote a bash script to check the top 1000 websites and huge percentage of them ...
I ran for a little while, but I didn't seem to find any valuable information. In fact, Heartbeat as a CRM in the OpenSSL to use the opportunity is not much, plus a large site response is very rapid, not easy to appear big flaws. It is unclear whether the 0Day was used before it was released.

Now all major distributions have been patched, please update as soon as possible.

I am using the CentOS, currently officially said to be threatened by the version 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1. The "Heartbleed" vulnerability was fixed in the OpenSSL 1.0.1g version. All centos6.5 systems running OpenSSL 1.0.1e (openssl-1.0.1e-16.el6_5.4) are at risk, and seemingly only 6.5 are at risk.

Check your OpenSSL version first, the following command:

#opensslversion

Or

#openssl version-a//Plus-a parameter will show more detail

Also or

#yum Info OpenSSL//redhat series can be used

Ubuntu and Debian can use the following command:

#dpkg-query-l ' OpenSSL '

All right, brother is using the OpenSSL 1.0.1f, the threatened version. Oh, real pit. But did not open Heartbleed, and did not set HTTPS access, no impact, but still upgraded.

Enter the command to upgrade the OpenSSL version:

#yum Clean all && yum update "openssl*"//redhat series available with this

Www.111Cn.net

Ubuntu and Debian can use the following command:

#apt-get Update
#apt-get Upgrade

openSUSE Use the following command:

#zypper Update

Make sure you are installing a openssl-1.0.1e-16.el6_5.7 version or an updated version. Yum source does not have this package, you can only download the RPM package installed. I reckon there is.

Install openssl-1.0.1e-16.el6_5.7 version for Mao? Since this version has been repaired, see http://lists.centos.org/pipermail/centos-announce/2014-April/020249.html. Another reason is that there is no openssl-1.0.1g version of my yum source.

Then execute the following command to check which processes are still using the deleted old version of the OpenSSL library:

#lsof-N | grep SSL | grep DEL

No, it's normal. If so, you'll have to restart the process of using the old version of the OpenSSL library. So, I do not bother to restart, but also small blog, directly restart the server.

If possible, it is recommended that you regenerate the SSL private key, change the password, and so on.

Www.111cn.net

Note: You can also use the following command to check your installed version of the OpenSSL when the patch, because each fix the vulnerability, after patching, the package itself will be recorded in the log (Change-log) the information. The order is as follows:

# rpm-q--changelog openssl-1.0.1e | Grep-b 1 cve-2014-0160//cve-2014-0160 is the code for this loophole, can go to OpenSSL's website to check

Show:

* Mon APR 2014 Tom 谩 screw Mr 谩 Z <tmraz@redhat.com> 1.0.1e-16.7
-Fix cve-2014-0160-information disclosure in TLS Heartbeat extension

This version has fixed this vulnerability.

##########################################################################

2014.4.9 Update the direct source installation openssl1.0.1g version.

Download the OpenSSL 1.0.1g version first, the following command:

#wget-chttps://www.openssl.org/source/openssl-1.0.1g.tar.gz

And then download this version of the MD5 check pack:

#wget-C HTTPS://WWW.OPENSSL.ORG/SOURCE/OPENSSL-1.0.1G.TAR.GZ.MD5

Then verify that the OpenSSL package has been maliciously modified:

#md5sum openssl-1.0.1g.tar.gz | awk ' {print $} ' | Cmp-openssl-1.0.1g.tar.gz.md5

If the check is fine, then unpack the package and order:

#tar-ZVXF openssl-1.0.1g.tar.gz//Decompression openssl-1.0.1g.tar.gz

Enter this uncompressed directory:

#cd openssl-1.0.1g

Enter the following command to compile, install, I set some important parameters directly, because the other parameters for me is useless. If you need a parameter, add it yourself. Input:

#./config--prefix=/usr/local--openssldir=/usr/local/ssl

#make && make Install

#./config shared--prefix=/usr/local--openssldir=/usr/local/ssl//Generating dynamic libraries

#make Clean

#make && make Install

Or you do not add any parameters, completely with the default:

#./config && make && make install

In about five or six minutes, compile and install. If there is no problem, continue to enter the following command, manual soft chain new OpenSSL binaries:

#ln-sf/usr/local/ssl/bin/openssl ' which OpenSSL '

Finally reboot the server (reboot process troublesome), enter:

#reboot

After the reboot, enter the following command to detect the OpenSSL version:

#openssl version

Show:

OpenSSL version

Tutorial over!