Our servers are not vulnerable to the “Heartbleed” SSL security bug

Posted April 8th, 2014 in Tech Corner. Tags: , .

Yesterday, Internet security researchers announced discovery of the Heartbleed SSL security bug. This bug allows attackers to bypass SSL encryption on servers that use certain versions of software called “OpenSSL”.

Our servers are not, and never have been, vulnerable to this bug, because we’ve never used the affected versions of the OpenSSL software. Our customers are not affected by it in any way.

Technical details

At the time the bug was disclosed, we were using Debian Linux openssl version “0.9.8o-4squeeze14”, which was not vulnerable.

After the bug was disclosed, we upgraded to a newer version of the openssl library for unrelated reasons and began using version “1.0.1e-2+deb7u7”, which is also not vulnerable according to the Debian page about this bug: “For the stable distribution (wheezy), this problem has been fixed in version 1.0.1e-2+deb7u5 [and later]”.

Note that the fix is in the form of a Debian security backport. This leaves the base version number as “1.0.1e”, with the extra “-2+deb7u7” indicating the patched version. This can be confusing if you simply check the base version (one of our customers saw “1.0.1e” in the output of the “ssh -v” command, for example, and thought this meant it was vulnerable).

5 Comments

  1. on Wednesday, April 9, 2014 at 1:20 pm (Pacific) Joshua wrote:

    Thank you for the transparency and posting so promptly!

  2. on Thursday, April 10, 2014 at 10:41 am (Pacific) Volodymyr Frytskyy wrote:

    What if I’m using Total Commander with Secure FTP plugin for uploading files. I believe Secure FTP plugin uses OpenSSL library, or I’m wrong?

  3. on Thursday, April 10, 2014 at 12:51 pm (Pacific) Robert Mathews wrote:

    Volodymyr Frytskyy wrote:

    >What if I’m using Total Commander with Secure FTP plugin for uploading files. I believe Secure FTP plugin uses OpenSSL library, or I’m wrong?

    We don’t know whether that uses the OpenSSL library, but it wouldn’t matter even if it does, from the perspective of our end. Since we’ve never had a vulnerable version of the OpenSSL library present on any of our servers at any time, there’s no way for anyone to have ever used this bug to retrieve any information from any of our servers.

    If you’re using software on your computer that uses its own private copy of the vulnerable OpenSSL library, but that software doesn’t run as a “server” on your computer, that’s not a problem either. The problem only happens when server software — software that listens for incoming connections from “strangers”, like an SSL Web server — uses the vulnerable version of the OpenSSL library.

    So even if your Total Commander software uses a vulnerable version of OpenSSL on your own computer, it would only be a risk if strangers are also allowed to make incoming SSL connections to Total Commander running on your computer, which almost certainly isn’t the case.

  4. on Thursday, April 10, 2014 at 12:56 pm (Pacific) Russ wrote:

    Another example of why Tiger Tech is flat out the best hosting company on the planet!

  5. on Thursday, April 10, 2014 at 5:33 pm (Pacific) Geff wrote:

    I am so glad to hear this, & as Russ stated, your quality hosting why I’m here with 3 (unrelated) sites.

  1. Recent Posts

    1. PHP versions 8.2.17 and 8.3.4
    2. President’s Day 2024 holiday hours
    3. PHP versions 8.1.27 and 8.2.15
    4. Martin Luther King, Jr. Day 2024 holiday hours
    5. New Year’s 2024 Holiday Hours
    6. Christmas 2023 Holiday Hours
    7. Brief scheduled maintenance December 16-17, 2023
    8. Thanksgiving 2023 Holiday Hours
    9. PHP versions 8.1.25 and 8.2.12
    10. PHP versions 8.1.24 and 8.2.11

  2. Categories

  3. Tags

    all servers email holiday hours linux mailman maintenance mod_security mysql network php phpmyadmin security server updates spam ssl status updates webmail wordpress zapp

  4. Feeds