An upstream OpenSSL bug (referred to as ‘heartbleed’) has been patched in the upstream distro to FreePBX.
We’ve added the updated packages to our yum repositories and the mirrors are syncing now.
Run the command ‘yum update openssl’ on your box. Please note you need to be on a 5.211.65 or 6.211.65 release to get this updated RPM. The package will also be included in the next upgrade scripts but since this is a pretty big exploit we did not want to make users wait for the next upgrade.
If you are using FreePBX on a non FreePBX Distro system we recommend you upgrade openssl to a newer version that includes this patch immediately.
I believe this post should be moved to the distro specific forum. It won’t work if you don’t use the FreePBX repos and certainly won’t work on non “non-Centos” setups.
It’s worth pointing out that OpenSSH is not affected by the OpenSSL bug. While OpenSSH does use openssl for some key-generation functions, it does not use the TLS protocol (and in particular the TLS heartbeat extension that heartbleed attacks). So there is no need to worry about SSH being compromised, though it is still a good idea to update openssl to 1.0.1g or 1.0.2-beta2 (but you don’t have to worry about replacing SSH keypairs). – dr jimbob 6 hours ago
Good news for old versions, I guess. Thank you very much for the info. I’ll talk to the boss about getting Schmoozecom Support’s quote for the upgrade.
Hi, not sure if I can ask a basic question here. Stop reading here if not.
I tried to run ‘yum update openssl’ on my freepbx/schmoozecom appliance and it downloaded but said 'no packages marked for update’
I checked the release and got:
[root@localhost ~]# cat /etc/centos-release
CentOS release 6.2 (Final)
Did I miss something?
I don’t know CentOS, I just carefully read what to do and do exactly that. Probably dangerous.
Brent, that is an older system which IIRC isn’t vulnerable to the bug. You may want to upgrade though, and when you do you’ll automatically get the fixed software.
The Heartbleed.com website lists 1.0.1e-15 on CentOS to be vulnerable, and recommends 1.0.1g.
On all systems I’m on 5.211.65-11, but “yum list openssl” returns Installed Packages
openssl.i686 1.0.1e-16.el6_5.7 @updates and “yum update openssl” says No Packages marked for Update
What now?