All versions of CentOS 5 and CentOS 6 are not vulnerable to this problem except CentOS 6.5. CentOS 6.5 introduced this problem when openssl was rebased from 1.0.0 to 1.0.1e. Fixed packages containing a backported patch were released overnight 2014/04/08 and should have replicated to all CentOS mirrors by now. All users of CentOS 6.5 should `yum update openssl` and check that they subsequently have openssl-1.0.1e-16.el6_5.7 or higher installed. If the package is updated then you should check which services are using it by running
Code: Select all
lsof -n | grep ssl | grep -i del
Anyone who is using mod_spdy from Google is advised that it appears that this module has static copies of the affected openssl code embedded in it and until such time as they release a new version, anyone using mod_spdy on their web server is still vulnerable even if they have openssl-1.0.1e-16.el6_5.7 installed. A recent post here says that they have updated it to fix the problem. Users of mod_spdy should update ASAP.
It's also reported that OpenVPN AS Server prior to version 2.0.6 is vulnerable. This is not a CentOS supplied package but a download specifically from openvpn.org.
It is unknown if there are exploits in use in the wild prior to the fix being released and if you have services using TLS exposed to the internet then you should consider having your SSL certificate provider revoke and reissue your SSL certificate using a new key.
Again, users of CentOS 5 (all versions) and CentOS 6 prior to 6.5 are unaffected by this vulnerability. The vulnerability was introduced by the openssl-1.0.1e packages that were introduced with the release of 6.5 (specifically, openssl versions from 1.0.1e-15.el6 through 1.0.1e-16.el6_5.4).