OpenSSL and the Heartbleed vulnerability

Discussion in 'Installation/Configuration' started by mattltm, Apr 8, 2014.

  1. mattltm

    mattltm Member

    I have manually upgraded my ISPConfig debian based servers to OpenSSL 1.0.1g but the vulnerability still remains.

    OpenSSL reports as version 1.0.1g.

    Is there a setting in ISPConfig somewhere that needs to to updated?
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Thre is nothing in ispconfig that needs to be updates as ispconfig does not ship with any software that uses openssl. Debian has fixed the issue already in Whezy and squeeze was not affected, so all you have to do to fix the vulnerability is to install the latest updates with:

    apt-get update
    apt-get upgrade

    and then restart all services that use openssl like apache, php-fpm, mysql, postfix, dovecot or courier, pure-ftpd.

    Please note that debian package updates do not increment the version number of the packages, so you cant chcek it with "openssl version", instead you will have to check which openssl package from debian is installed on your server and then compare it with the release notes, to see if the vulnerability is fixed in that version.
  3. mattltm

    mattltm Member

    Thanks Till.

    Got it sorted by rebooting the server. Had to reboot twice before it reported that the vulnerability had gone though.

Share This Page