You rock! Thanks! It's been a pleasure so far using your hosting service!
|Posted||Tue, 8 Apr 2014 21:58 PM UTC|
|Last Update||Wed, 16 Apr 2014 11:31 AM UTC (70 hours ago)|
Update @UTC 2014-04-15 0326: ran a scan on IPs in our network. And will be emailing customers who appear to be currently affected.
Heartbleed Bug CVE-2014-0160
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library
It can result in private keys (e.g. ssl keys) being exposed.
Distro specific information
Debian: https://security-tracker.debian.org/tracker/CVE-2014-0160 (versions prior to Debian 7 Wheezy are unaffected)
Centos: http://lists.centos.org/pipermail/centos-announce/2014-April/020248.html (all version prior to 6.5 are unaffected)
Ubuntu: http://askubuntu.com/questions/444702/how-to-patch-cve-2014-0160-in-openssl (all versions prior to 12.04 are unaffected)
What versions of the OpenSSL are affected?
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012.Patch OpenSSL 1.0.1g was released on 7th of April 2014 which fixes the bug.
This means the bug has been out in the wild for over 2 years, but is only now becoming widely known and all clients servers need to be tested
Online checking site here: http://filippo.io/Heartbleed
To see which openssl version you are using, run the command:
Note that the version output is not always a good way to test (since distros will backport the fix and that fix will sometimes not affect the reported version or version date).
Check the package version you are running with a command like dpkg -l | grep openssl
For a completely accurate test use the command line tool here
Patching the bug
In most cases you can fix the issue by just upgrading to your distro's latest package version:
Even better, run a yum upgrade or apt-get install update to get all of your distro packages up to date.
Restart applications that may be using openssl. e.g. Apache, email servers, etc. Better still, restart your server.
Alternatively lodge a ticket and request we check and patch your server
This week (while we will be busy with a number of fixes) there is a one off USD 10 service per dedicated or virtual server only if it is found to have the OpenSSL vulnerability in which case we will take the following action:
1. Update OpenSSL to your distro's latest version (plus other packages required for the upgrade to complete).
Please subscribe to this notice. We will update this notice with more information as it comes to hand. Hopefully including tips and tricks (aka scripts) to ease the problem identification and openssl upgrades.#
|Posted||Sun, 13 Apr 2014 14:11 PM UTC|
|Last Update||Sun, 13 Apr 2014 14:11 PM UTC (6 days ago)|
We saw a period of packet loss to our Dallas datacenter a short time ago. That has been resolved and our network is back top responding normally. We received the following report from the datacenter.
"This morning from 8:25 until approximately 8:40 CDT we were dealing with a rather significant DDOS attack that was causing slow traffic on one of our providers. The attack has been dealt with now, however."#