A serious security vulnerability has been found in certain versions of the OpenSSL library which is used by servers and other software to security and encrypt network connections.
Affected versions of OpenSSL are 1.0.1 prior to 1.0.1g and 1.0.2-beta. You can read more about the report at the MITRE site.
Please note that some distributions, like CentOS, apply security patches while maintaining version numbers, so the latest openssl.x86_64 0:1.0.1e-16.el6_5.7 will include the fix.
If you want to check your SSL installation, we recommend that you use SSL Labs’s server test tool.
OpenSSL on VPS
If you are running a VPS with CentOS 6.x, Ubuntu 12.04, or Debian 7, we highly recommend that you upgrade OpenSSL immediately. If you have a previous OS version you are not vulnerable, unless you upgraded OpenSSL manually, to be sure check your OpenSSL version. Here’s how to do it:
$ openssl version -a
Updating OpenSSL can be done with the following command:
# CentOS $ yum upgrade # Ubuntu / Debian $ apt-get update && apt-get upgrade
Please note that in order to use the updated library, you will need to restart Apache or other servers that use SSL.
UPDATE: Due to the severity of the issue we have upgraded all VPS with OpenSSL installations that we found to be vulnerable.
OpenSSL on Shared Hosting
On our shared hosting servers we run a previous version of OpenSSL which is not vulnerable so no update is required.
What steps should you take to secure your applications?
If your system was affected, it is advisable to take steps to secure your application. Even though there is no way to know if your system was compromised, the safest option is to act as if it were.
1) If you are using SSL certificates for your sites there is a risk that your certificates have been compromised. So we recommend that you ask your certificate provider to re-issue your certificates and then replace your certificates with the new ones.
2) Change any passwords or other credentials that were encrypted by your old SSL certificates.
3) If your application has user accounts, we recommend you change the passwords on all user accounts
4) If you’re using phpMyAdmin or phpPgAdmin on our servers you should change these passwords.
5) You may want to invalidate all current sessions after requesting your users change their passwords to rule out any potential session hijacking.
You can find more information about the heartbleed bug at http://heartbleed.com
Instructions to update your SSL certificate can be found here.
If you have questions, please open a support ticket.