1 |
On Thursday, 10 April 2014 04:32:34 MSK, Michael Orlitzky wrote: |
2 |
> Yes, upgrade your OpenSSL to the latest stable version, and if 1.0.1g |
3 |
> isn't stable on your arch (it should be unless it's a weird one), unset |
4 |
> USE=tls-heartbeat like Ralf said. |
5 |
> |
6 |
> But that's not your big problem. If you operate any servers, the private |
7 |
> keys to any OpenSSL-backed service may have been compromised. So the old |
8 |
> certificates all need to be revoked and new ones issued. That includes |
9 |
> Apache, OpenVPN, Postfix, Dovecot -- all the big ones. Even if you don't |
10 |
> run servers, other people do, and they were probably vulnerable. So any |
11 |
> passwords you've used on the web in the past two years should be changed. |
12 |
|
13 |
What surprises me here is OpenSSH. It's not supposed to use OpenSSL but |
14 |
Debian update process suggests to restart it after updating OpenSSL to a |
15 |
fixed version. Is it an overkill on their part? It might confuse admins. |