Security Advisory: The “Heartbleed” OpenSSL Bug

Hello all,

In light of the recent OpenSSL Security Advisory on the TLS heartbeat read overrun bug, also known as “Heartbleed”, the openssl package on cmip5.whoi.edu has been has been updated to the latest stable release. Although this bug is unlikely to affect cmip5, which is only accessible via the WHOI private network, secure information on many popular websites may already have already been compromised, including:

  • Dropbox
  • Facebook
  • GitHub
  • Google, Goolge+, Gmail, & Youtube
  • Instagram
  • Pintrest
  • Netflix
  • SoundCloud
  • Tumblr
  • USAA
  • Yahoo & Yahoo Mail

Although there is no indication that this vulnerability has been exploited, or that any secure information has been leaked from any of these websites, it may be prudent to change your passwords on these sites. If you use the same password on multiple sites, and any of those sites are potentially compromised, then your login is potentially compromised on all of those sites.

Here is a simplified explanation of the Heartblead bug (source: http://xkcd.com/1354/):

Source: http://xkcd.com/1354/