[SOLVED] CentOS 5 is vulnerable to heartbleed!

[lamboluvr]

One of our old web boxes is running CentOS 5.10 (see http://cl.ly/image/2z1j2f2A0a3A) running the latest version of openssl provided by centos and all heartbleed vuln check scripts I've thrown at it show signs of memory leaks . Looks like I HAVE NO CHOICE but to recompile openssl even though you advise against it.

[avij]

I believe your webserver is not using those openssl packages but some other openssl.

Run "lsof | grep libssl | grep http" or similar, and see which libssl files are in use.

[avij]

I do not know if mod_spdy runs on CentOS 5, but if it does and you have it installed, please note that it contains its own copy of openssl. Previous versions were vulnerable to CVE-2014-0160, but a fixed version was recently released.

If you have mod-spdy-beta installed, try removing it and run "service httpd restart".

edit:
I tried installing mod_spdy on CentOS 5, but it failed. That package would need httpd >= 2.2.4, but CentOS 5 has only 2.2.3. So unless you are running a non-CentOS httpd, mod_spdy is not the problem you are seeing.

In any case, if your web server is vulnerable, it is because of some third party package, or some package that you have compiled yourself. CentOS 5 as shipped by the CentOS Project is not vulnerable to CVE-2014-0160.

[lamboluvr]

I believe your webserver is not using those openssl packages but some other openssl.

Run "lsof | grep libssl | grep http" or similar, and see which libssl files are in use.

Ahhh. Sorry for freakout! Whoever set this box up trolled me with a bitnami stack. Had to user their patcher. Thanks for the help.

[loopx]

The issue of openssl is above version 1.0 ... CentOS 5 and RHEL5 is not impacted with that.

I don't see what's your problem : just stay calm, may be ?

[avij]

It is possible to modify a CentOS 5 system to be vulnerable to Heartbleed, but only with additional software from third parties. This is what happened here.