On Thursday, 10 April 2014 04:32:34 MSK, Michael Orlitzky wrote:
Yes, upgrade your OpenSSL to the latest stable version, and if 1.0.1g
isn't stable on your arch (it should be unless it's a weird one), unset
USE=tls-heartbeat like Ralf said.
But that's not your big problem. If you operate any servers, the private
keys to any OpenSSL-backed service may have been compromised. So the old
certificates all need to be revoked and new ones issued. That includes
Apache, OpenVPN, Postfix, Dovecot -- all the big ones. Even if you don't
run servers, other people do, and they were probably vulnerable. So any
passwords you've used on the web in the past two years should be changed.
What surprises me here is OpenSSH. It's not supposed to use OpenSSL but
Debian update process suggests to restart it after updating OpenSSL to a
fixed version. Is it an overkill on their part? It might confuse admins.
