Background:
The full name of OpenSSL is Secure Socket Layer, which was developed by Netscape and uses data encryption (Encryption) as a technology to ensure the security of data transmission on the Internet. It can ensure that the transmission of data on the network will not be listened to and intercepted by qie.
Of course, OpenSSL is a powerful cryptographic library. We do not necessarily have to use OpenSSL when using the SSL protocol, but we basically use OpenSSL at present because it is more secure and easier to use.
A very serious bug (CVE-2014-0160) was discovered in the cryptographic algorithm library of the recent Internet security protocol OpenSSL v1.0.1 to 1.0.1f, which allows an attacker to read the 64k processing memory of the bugged system, exposing encryption Traffic keys, user names and passwords, and access content. This vulnerability is called heartbleed, and the heart bleeds.
As reported by solidot in April 7, OpenSSL has released 1.0.1g to fix the bug, the Debian distribution is also fixing the bug in half an hour, and Fedora has released a stopgap fix. The bug was introduced in OpenSSL in 2011, using the discovery version of OpenSSL 0.9.8 is not affected, but after Debian Wheezy, Ubuntu 12.04.4, CentOS 6.5, Fedora 18, SUSE 12.2, OpenBSD 5.4, FreeBSD 8.4 and NetBSD 5.0.2 versions are affected. If your allowed system is concentrated as above, it is recommended to fix the patch to 1.0.1g or above.
Repair suggestions:
1. If you use OpenSSL 1.0.1 to OpenSSL1.0.1f, it is recommended to upgrade to OpenSSL1.0.1g or the latest OpenSSL1.0.1h.
2. Recompile the lower version of OpenSSL with the DEPENSSL_NO_HEARTBEATS parameter to disable the Heartbleed module.
3. Remove the OpenSSL component.
Upgrading OpenSSL to fix the Heartbleed vulnerability
Since we are basically using RHEL 5.8 or OEL5.8, and its OpenSSL version is OpenSSL0.9.8e, there is no such vulnerability, but some new projects may be involved, of course Their approach to fixing this bug is the same.