Hi,
ucspi-ssl is linked with the OpenSSL files and potentially is subject to
the Heartbleed bug (<https://www.openssl.org/news/secadv_20140407.txt>).
Advice:
1. Check whether your OpenSSL version is vulnerable.
2. In case it is, use your package management to install the corrected
version. Otherwise, install the updated OpenSSL version from the source (in
the old dirs).
3. Goto the ucspi-ssl package dir. Locate the current version and simply
remove the ./compile directory. Call /package/install. This will rebuild
ucspi-ssl with the current OpenSSL sources.
4. Restart your services depending on ucspi-ssl.
5. It might be necessary to use updated X.509 certs + keyfiles; though I
don't believe this bug is exploited much in the wild (yet).
Note: In case you use DH and PFS, your encryption is still not vulnerable.
However, under odd circumstances your key file may be leaked, thus your
authentication may be abused. In case you use RSA for encryption, I urge
you to use new certs and keyfiles. Ask your CA to revoke the old certs.
regards.
--eh.
--
Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de/ | PGP-Key-Id: 7E4034BE
ucspi-ssl is linked with the OpenSSL files and potentially is subject to
the Heartbleed bug (<https://www.openssl.org/news/secadv_20140407.txt>).
Advice:
1. Check whether your OpenSSL version is vulnerable.
2. In case it is, use your package management to install the corrected
version. Otherwise, install the updated OpenSSL version from the source (in
the old dirs).
3. Goto the ucspi-ssl package dir. Locate the current version and simply
remove the ./compile directory. Call /package/install. This will rebuild
ucspi-ssl with the current OpenSSL sources.
4. Restart your services depending on ucspi-ssl.
5. It might be necessary to use updated X.509 certs + keyfiles; though I
don't believe this bug is exploited much in the wild (yet).
Note: In case you use DH and PFS, your encryption is still not vulnerable.
However, under odd circumstances your key file may be leaked, thus your
authentication may be abused. In case you use RSA for encryption, I urge
you to use new certs and keyfiles. Ask your CA to revoke the old certs.
regards.
--eh.
--
Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de/ | PGP-Key-Id: 7E4034BE