How does one check the version of OpenSSL for the Heartbleed vulnerability on CentOS systems, and what is the procedure for manually updating it?
To check the version you should just be able to run the following command from the command line:
openssl version -v
This should output something like:
OpenSSL 1.0.1e-fips 11 Feb 2013
Information on what versions of the OpenSSL are affected:
Status of different versions:
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
More information on the heartbleed vulnerability can be found at http://heartbleed.com/
You only need to update if your CentOS host is a server running openssl. If you are worried about being a client connecting, the version of openssl is irrelevant as the vulnerability exploit depends on the server side version, not client side. A good blog post on how the heartbleed vulnerability works can be found here.
To manually update openssl you can run the command:
yum update openssl
You will need to be root/have root privileges to run the update. See more information on managing packages for CentOS here