As of 1:45AM EDT on April 8, 2014, all Nexcess managed systems vulnerable to CVE-2014-0160 (Heartbleed) were patched. This security vulnerability is widespread with multiple operating systems globally and not a Nexcess-specific issue.
CentOS released an official OpenSSL patch removing the recently discovered vulnerabilities. OpenSSL was upgraded seamlessly. However, all services linked against the older vulnerable version of OpenSSL had to be restarted to apply the newly patched OpenSSL version. These services include: Apache, PHP-FPM, InterWorx and mail services (imap4-ssl, pop3-ssl, smtp, smpt2) and there was a very brief service interruption as these services were restarted.
The online Heartbleed testers such as http://possible.lv/tools/hb/ simply connect to the server and see if the heartbeat feature is enabled. The CentOS patch installed on our systems (https://bugzilla.redhat.com/attachment.cgi?id=883475) actually fixed the issue vs. simply disabling the heartbeat feature altogether. This means while the system is indeed patched, the online checkers will still show the system as vulnerable as they can’t tell if you are running the patched version or not since there is no known PoC to test against.Posted in: Linux, Nexcess, Security