YJL

The Heartbleed Bug (CVE-2014-0160) of OpenSSL seems like a very serious issue, it even has a website created just for it.

The website has very detailed information about the affected systems and lots of FAQ. You need to check to see if you are affected, most likely you are.

From OpenSSL Security Advisory [07 Apr 2014]:

TLS heartbeat read overrun (CVE-2014-0160)
==========================================

A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.

Basically, if you are running 1.0.1 branch and you are not using 1.0.1g, which mostly you are not since it just released, then you need to update as soon as possible.

From the FAQ:

Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

I just finished upgrading to OpenSSL 1.0.1g. If you are using Gentoo, at this moment, dev-libs/openssl-1.0.1g is ~arch, unmask and update it now for sake of security. You can read the bug report.

More than two years of exposures, last time for this long, that was the random number generator in Debian in 2008, I am sure some people still remember that. I checked my emerge history, the first 1.0.1 branch I installed was 1.0.1c on 2013-02-01, so roughly I was unsafe for 1 year and 2 months.

Just a month ago, I was updating GnuTLS for another security issue, now again. But what this told me is that you get fixed very soon, open source don’t wait for nobody.