It recently came to light that there was a serious programming error within OPENSSL, endangering encryption keys and data of SSL connections on the Internet. This allows anyone to read out the memory of vulnerable servers. Specifically, this means an attacker can read keys, passwords and other private information. There is more information about the bug at http://heartbleed.com.
All VARiHOST infrastructure and shared web hosting servers were patched on Tuesday morning as soon as the vulnerability was announced. We have also reissued our own SSL certificates to secure our customers’ data on www.varihost.net
It is important you take action to ensure you remain secure.
Shared Hosting – (Basic, Plus, Extra and Managed WordPress accounts) need not take any action apart from updating any passwords.
VPS, Hybrid & Dedicated Server Customers
If you have your server managed by us, we have taken action for you.
Windows servers Review any applications that have been installed as they may be bundled with OPENSSL libraries. (Our standard build has no vulnerable applications installed).
Linux servers Inspect the installed OPENSSL library. The OPENSSL version can be viewed via the command line with the following command: openssl version
You will have to double check the installed package via other means if a vulnerable version 1.0.1a-1.0.1f is displayed.
Vulnerable systems if unpatched: CentOS-6, Debian-7, Fedora, Ubuntu, FreeBSD
Not vulnerable systems: CentOS-5, Debian-6, Suse-11, Windows Server
We recommend that you patch your servers and restart any services utilising OPENSSL libraries. If in doubt perform a server restart after patching.
For most distributions of Linux security updates are already available:
- Debian / Ubuntu: apt-get update; apt-get -y install openssl libssl1.0.0
- Fedora / CentOS: yum -y update openssl
If you’re unsure or have any further questions, please submit a support ticket