OpenSSL version for Heartbleed [closed]

Question

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.

---

This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.

Closed 9 years ago.

Improve this question

How does one check the version of OpenSSL for the Heartbleed vulnerability on CentOS systems, and what is the procedure for manually updating it?

Answer 1

To check the version you should just be able to run the following command from the command line:

openssl version -v

This should output something like:

OpenSSL 1.0.1e-fips 11 Feb 2013

Information on what versions of the OpenSSL are affected:

Status of different versions:

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable

Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

More information on the heartbleed vulnerability can be found at http://heartbleed.com/

You only need to update if your CentOS host is a server running openssl. If you are worried about being a client connecting, the version of openssl is irrelevant as the vulnerability exploit depends on the server side version, not client side. A good blog post on how the heartbleed vulnerability works can be found here.

To manually update openssl you can run the command:

yum update openssl

You will need to be root/have root privileges to run the update. See more information on managing packages for CentOS here