RHEL and CentOS both have patches out as of a couple hours ago, so run those updates! CentOS' mirrors do not all have it yet, so if you are updating, make sure you get the 1.0.1e-16.el6_5.7 version and not older.
David -----Original Message----- From: Paul Ferguson [mailto:fergdawgs...@mykolab.com] Sent: Tuesday, April 08, 2014 1:07 AM To: NANOG Subject: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I'm really surprised no one has mentioned this here yet... FYI, - - ferg Begin forwarded message: > From: Rich Kulawiec <r...@gsp.org> Subject: Serious bug in ubiquitous > OpenSSL library: "Heartbleed" Date: April 7, 2014 at 9:27:40 PM EDT > > This reaches across many versions of Linux and BSD and, I'd presume, > into some versions of operating systems based on them. > OpenSSL is used in web servers, mail servers, VPNs, and many other > places. > > Writeup: Heartbleed: Serious OpenSSL zero day vulnerability revealed > http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability > -revealed-7000028166/ > > Technical details: Heartbleed Bug http://heartbleed.com/ > > OpenSSL versions affected (from link just above): OpenSSL 1.0.1 > through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT > vulnerable (released today, April 7, 2014) OpenSSL 1.0.0 branch is NOT > vulnerable OpenSSL 0.9.8 branch is NOT vulnerable > - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlNDg9gACgkQKJasdVTchbIrAAD9HzKaElH1Tk0oIomAOoSOvfJf 3Dvt4QB54os4/yewQQ8A/0dhFZ/YuEdA81dkNfR9KIf1ZF72CyslSPxPvkDcTz5e =aAzE -----END PGP SIGNATURE-----