OpenSSL versions 1.0.1 through 1.0.1f do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory.

To check, if your servers are affected, you can use this tool. Please do also check the version of your installed OpenSSL port. On FreeBSD run:

# pkg_version -v|grep -is ssl
openssl-1.0.1_8                     <   needs updating (port has 1.0.1_10)

With the version 1.0.1g (FreeBSD portversion: openssl 1.0.1_10) this bug has been fixed. Upgrade to the latest version:

# portupgrade openssl-1.0.1_8

After you’ve upgraded openssl, regenerate all certificates, change passwords and restart all services which are using OpenSSL (Web- and Mailserver). After this, you’re safe again 🙂

PS: SSH is not affected by heartbleed!

More information:

Flattr this!