What should I do about the Heartbleed bug for the sites I run?

Question

The recently announced Heartbleed bug in OpenSSL affects many sites (70% of the internet).

There's a website:

There's a web-based test:

What should I do to protect the sites that I run?

Better answered on [sf] - [Heartbleed: What is it and what are options to mitigate it?](http://serverfault.com/q/587329) — Sathyajith Bhat, Apr 08 '14 at 15:56
… as well as the StackExchange for security professionals. See http://security.stackexchange.com/questions/55076/ and http://security.stackexchange.com/questions/tagged/heartbleed . — JdeBP, Apr 08 '14 at 16:22
Every major SE computer related site now has this question... Probably soon it will be asked even on [cooking.stackexchange.com](http://cooking.stackexchange.com/) :D — VL-80, Apr 08 '14 at 19:10
I have added an end-user version of this question at http://superuser.com/questions/739260/what-should-end-users-do-about-the-heartbleed-security-bug (but someone has already downvoted it, without explanation). — danorton, Apr 08 '14 at 19:10

score 7 · Answer 1 · answered Apr 08 '14 at 15:42

7

You should:

Update your system to the latest OpenSSL version
Generate new keys and certificates for services relying on OpenSSL and restart them
Revoke former certificates
Invalidate all established sessions

answered Apr 08 '14 at 15:42

Executifs

I don’t suppose you know of some nice clear instructions for the last three steps, do you? – Paul D. Waite Apr 08 '14 at 17:28
Revoking and regenerating production certificates usually involves whichever process your CA has in place. Since that varies from one CA to the next... – Roger Lipscombe Apr 08 '14 at 17:50
How to update your system depends on your package manager. Invalidating sessions is application-dependent. As for certificates, you'll have to contact your CA but the first step should be to generate a new key and CSR: `openssl req -nodes -newkey rsa:4096 -keyout post_heartbleed.key -out post_heartbleed.csr`! – Executifs Apr 09 '14 at 08:14

score 4 · Answer 2 · edited Apr 08 '14 at 16:42

4

Update your system:

sudo apt-get update
sudo apt-get upgrade

edited Apr 08 '14 at 16:42

Oliver Salzburg

answered Apr 08 '14 at 15:35

Matt Cruikshank

The OP delivers! – I am John Galt Apr 08 '14 at 17:12
1

@IamJohnGalt It's not like it's a locked safe or something. ;) – Ƭᴇcʜιᴇ007 Apr 08 '14 at 17:28
14

This is **not** sufficient. The SSL keys need to be replaced, without doing that a patch will still leave you vulnerable to past key theft. – Kyeotic Apr 08 '14 at 17:47
This assumes your system uses `apt-get` as your package manager. The question does not suggest this is necessarily the case. – Michael Apr 09 '14 at 17:12

score 0 · Answer 3 · answered Apr 09 '14 at 19:00

0

More specifically for Ubuntu or Debian in general

/etc/init.d/apache2 stop
aptitude update
dpkg -l \*libssl\*
aptitude safe-upgrade libssl1.0.0
dpkg -l \*libssl\*
/etc/init.d/apache2 start

answered Apr 09 '14 at 19:00

rleir

3 Answers3