[TriLUG] Heartbleed SSL vuln: regenerate your ssh host keys?

Igor Partola igor at igorpartola.com
Tue Apr 8 13:47:56 EDT 2014


As a quick update, note that different distributions are taking different
approaches to releasing fixes. For example, in Ubuntu the new package seems
to be versioned at 1.0.1-4ubuntu5.12. In CentOS the version of libssl seems
to still be vulnerable (1.0.1e) but the they seem to have simply disabled
the heartbeat extension instead of upgrading to the latest version of
libssl (openssl-1.0.1e-16.el6_5.7 is the new package where 5.7 means it's
been patched).

During this process I realized what a mess libssl versioning is and how
much every player involved messes with it.

On the plus side I learned of a cool utility available for Debian/Ubuntu:
`apt-get install debian-goodies`, then run `sudo checkrestart`. This will
give you a list of processes whose libraries were upgraded but the
processes were not restarted. Very useful, given that in this case it's not
enough to upgrade libssl: you also must restart every process that uses it
to start using the new version.

Igor


More information about the TriLUG mailing list