Forum OpenACS Development: Security Bug In OpenSSL
All the best :)
You would need to patch your services and re-issue keys. Upgrading to openssl-1.0.1g seems to be a good first step.
And I was playing a bit to solve that and seems to be easy (I'm not a security expert and I don't have very sensible data so I did not a serious audit). But this work (on ns 4.99.6 (HEAD) and Debian )
1. apt-get upgrade . After that I had "openssl version" OpenSSL 1.0.1e 11 Feb 2013 (not 1.g) . Debian guys works fast
2. restart naviserver (this is not an issue of naviserver or aolserver)
And It works (I know that to be completely sure I had to rebuild certificates but I don't think my server is of intereset of NSA or whatever😉 ).
Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
But in my installation (upgraded from debian, I did'nt build it) with 1.0.1e worked (or at least that's what test said).
but compiling your own OpenSSL 1.0.1g is certainly safe in this regard.
Changing the library/recompiling is the easy part, "fixing" the damage is harder, since heartbleed allows to read the memory (tcp buffers, etc.). One should change all HTTP authentication credentials, which were ever transported over affected SSL channels, after the leak was fixed. .... also for external sites. Also, getting new certificates might not be a bad idea.
More OSS marketing like Heartbleed, please.
jfyi, another vulnerability in OpenSSL has just been announced:
SSL/TLS MITM vulnerability (CVE-2014-0224)
Kind regards, Michael