The Heartbleed Bug

OpenSSL is one of the most ubiquitous components in a secure network environment. In fact, chances are good that if you accessed the Internet today your browser communicated with a number of servers running OpenSSL. Today, an announcement was made describing a critical flaw in the OpenSSL source code.

The Problem

According to heartbleed.com (which goes into quite a bit of detail):

The Heartbleed bug ... allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.

What does this mean? If you are viewing a website that encrypts traffic (look for the https:// protocol in the address bar), it may be possible under certain conditions for an attacker to obtain the remote server's private key and decrypt content exchanged between you and the website you are viewing.

The Solution

Update: Ubuntu has issued a USN containing updated packages for Ubuntu 14.04, 13.10, 12.10, and 12.04. In other words, check for updates and install them.

This bug has now been fixed and a new version of OpenSSL released (v1.0.1g). Unfortunately this hasn't hit the archives yet, so if you are really in desperate need of a patched copy of the library, do not despair!

We have a PPA:

ppa:george-edison55/openssl-heartbleed-fix

Currently, we have packages for the following series:

Precise Pangolin
Saucy Salamander
Trusty Tahr

You can install everything with the following three commands:

sudo add-apt-repository ppa:george-edison55/openssl-heartbleed-fix
sudo apt-get update
sudo apt-get upgrade

Now you can breathe a sigh of relief.

If you are running into errors running "add-apt-repository" on Ubuntu 12.04, install the "python-software-properties" package with the following command and try again: sudo apt-get install python-software-properties