When one is looking for the OpenSSL fix 1.0.1g for Oracle (Red Hat) Linux 6, the fixed package version is ‘1.0.1e-16.el6_5.7’. I think this a bit misleading, because OpenSSL 1.0.1e is subject to the bug (CVE-2014-0160). But from the Red Hat site: and Orcale MetaLink (MOS Note 1663998.1): “Version openssl-1.0.1e-16.el6_5.7 included a fix backported from openssl-1.0.1g“.
Some simple OS tests can produce a false-positive to heartbleed tests, becasue it could look only for text other than 1.0.1g.
Update…
To update to the ‘latest’ OpenSSL version, enable the [OL6_latest] repository en ‘yum update openssl’:
Setting up Update Process Resolving Dependencies --> Running transaction check ---> Package openssl.x86_64 0:1.0.1e-15.el6 will be updated ---> Package openssl.x86_64 0:1.0.1e-16.el6_5.7 will be an update --> Finished Dependency Resolution (etc...)
Testing for processes using OpenSSL
One can test if processes are using OpenSSL (not a heartbleed vulnerability test), by issuing one of these two following commands:
$ lsof | awk 'NR==1 || $0~/libssl.so.1.0.1e/' $ grep libssl.so.1.0.1 /proc/*/maps |cut -d/ -f3 |sort -u |xargs -r -- ps uf
More info
OpenSSL Security Bug – Heartbleed / CVE-2014-0160
Document written at April the 18th, 2014…
Happy blee, uh, testing and patching!