Twelve hours sitting in knee-deep chaos, watching twenty progress bars slowly move across a tiny 38cm monitor, as patches are installed to correct the OpenSSL hole, a.k.a. as the HeartBleed Bug, I just want to go to sleep now. In general, most of the servers that I deal with are not affected by this bug, but the handful that are, replacing the software was not as easy as I hoped it would be. Taking the servers off-line, running the configuration routines, and then running security scans, it all adds up to a lot of time spent in one tiny room with stale air.
How serious is this bug?
Well, I ran a bunch of hacks on my own server just to see if gaining access was as easy as the media said it was. After my results, I was left sitting with my jaw on the floor. If you know what to look for, snooping around emails, data file, logs, back-up files, it was all there, albeit I really had to dig around, but I did it. I was stunned! It did not matter what you were running, if you are running OpenSSL, then you have the hole.
As a favour to the online world, I am not going to go into any details. I know it will be months before all of the servers are updated around the world.
If you think that your server is affected by this, then there are couple of websites that can help you detected whether or not you are vulnerable to HeartBleed. You can run the HearBleed test here: http://filippo.io/Heartbleed/ and http://heartbleed.com/ for more information about HeartBleed.
According to Hearbleed.com, they say this about the fixes:
As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.
As for the open source community, help was rapid and support was fast. I had the patches in less than a day of receiving the news. Most of the updates were up on the repositories when I first checked, so everyone should have this fixed within days–so do your regular updates!