How to find out if your server is affected from Openssl Heartbleed vulnerability (CVE-2014-0160) and how to fix that


Version 1.2
Author: Till Brehm <t [dot] brehm [at] howtoforge [dot] com>
Follow Howtoforge on Twitter


A severe vulnerability in OpenSSL has been found, the vulnerability is named Heartbleed and affects the heartbeat implementation in Openssl version 1.0.1 up to version 1.0.1f. This velnerability can be used to get the private key of a SSL connection, so it is important to update the server immediately. The bug is fixed in OpenSSL 1.0.1g. All Major Linux Distributions have release updates to the vulnerability.


Find out if your server is affected

Run the command:

openssl version

to get the version number of openssl. If the command shows e.g.:

openssl version
OpenSSL 1.0.1e 11 Feb 2013

then your server might be vulnerable as the version is below 1.0.1g. But some Linux distributions patch packages, see below for instructions to find out if the package on your server has been patched.

If your server uses a 0.9.8 release like it is used on Debian squeeze, then the server is not vulnerable as the heartbeat function has been implemented in OpenSSL 1.0.1 and later versions only.

openssl version
OpenSSL 0.9.8o 01 Jun 2010


Fix the vulnerability

To fix the vulnerability, install the latest updates for your server.


apt-get update
apt-get upgrade


apt-get update
apt-get upgrade

Fedora and CentOS

yum update


zypper update

Then restart all services that use OpenSSL. On a ISPConfig 3 server, restart e.g. these services (when they are installed): sshd, apache, nginx, postfix, dovecot, courier, pure-ftpd, bind and mysql. If you want to be absolutely sure that you did not miss a service, then restart the whole server by running "reboot" on the shell.


Check if the Linux update installed the correct package

After you installed the Linux updates, check if the openssl package has been upgraded correctly. Some Linux distributions
patch packages, so "openssl version" does not always show whether the correct patch that fixes the vulnerability has been installed.

Check the package on Debian and Ubuntu:

dpkg-query -l 'openssl'

Here the output for a correctly patched Debian 7 (Wheezy) server:

dpkg-query -l 'openssl'
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                Version         Architecture   Description
ii  openssl             1.0.1e-2+deb7u5 amd64          Secure Socket Layer (SSL) binary and related

For Fedora and CentOS, use this command to find the installed package name:

rpm -qa | grep openssl

Here are the links with the release notes that contain the package names of the fixed versions:




There is now a test available to verify if you successfully closed the security hole in your Server. The test can be found here:


Q&A on this Topic in the howtoforge forum

Questions and answers on this topic in the howtoforge forum:



Share this page:

Suggested articles

8 Comment(s)

Add comment



You don't always get the real version with "openssl version".

Try "apt-cache policy openssl".


openssl 1.0.1e in centos has been fixed.

The only thing you have to do is: yum update

It will automatically download and update a backported version of openssl-1.0.1e-16.el6_5.7 which has been patched by RedHat with heartbeat disabled.

To verify the update, check the changelog:

# rpm -q --changelog openssl-1.0.1e | grep -B 1 CVE-2014-0160

you should see the following:

* Mon Apr 07 2014 Tomáš Mráz <> 1.0.1e-16.7 - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension

From: Anonymous-kjakich

Hey, Thanks for that. It worked! 

From: Nico

Can you hgelp me with this i'm on centos as well i did yum update and restarted the server yet the latest update is: 

 * Tue Jan 07 2014 Tomáš Mráz <> 1.0.1e-16.4
- fix CVE-2013-4353 - Invalid TLS handshake crash


From: Anonymous

>>> Run the command: openssl version to get the version number of openssh. <<< No, this will get you the vn of openssl. Don't drag OpenSSH into this, OpenSSH is not affected.


Thanks for pointing out this typo. I corrected it in the tutorial.



I think that if you have a server up and running  (in my case Ubuntu 12.04) apt-get update && apt-get upgrade is not the best way since you have other services that is a little dangerous to update.

You can  only apt-get update &&apt-get install openssl libssl1.0.0

Don't forget to restart server. This worked fine for me!


Please be aware that this fixes the openssl issue but leaves other issues open. So better check if you can not install all pending security updates. If your server is eetup correctly, then ubuntu maintennace and security updates should not cause any problems.