You wonder if you OS X have this OpenSSL vulnerability?
Well, normally NOT because it comes with OpenSSL 0.9.8y but if you have MacPorts, Homebrew or Fink installed, read on.
For this short tutorial I take Mavericks since it is the newest and MacPorts because I have it installed:
Check OpenSSL version:
fmbp:~ home$ openssl version OpenSSL 1.0.1e 11 Feb 2013
Vulnerable but not the OS version because if we look better, it points out to the macports binary:
fmbp:~ home$ which openssl /opt/local/bin/openssl
The OS version is here:
fmbp:~ home$ /usr/bin/openssl version OpenSSL 0.9.8y 5 Feb 2013
Fortunately MacPorts have the latest version not impacted so you can fix this by just updating the package:
fmbp:~ home$ sudo port selfupdate fmbp:~ home$ [color=green]sudo port upgrade openssl[/color] # or "sudo port -v upgrade outdated" fmbp:~ home$ openssl version OpenSSL 1.0.1g 7 Apr 2014
If you want to switch to the OS version, do the following commands:
Note: any update of your custom repository (like
port upgrade openssl above) will revert this modification.
fmbp:~ home$ sudo mv /opt/local/bin/openssl /opt/local/bin/openssl.bad fmbp:~ home$ sudo ln -s /usr/bin/openssl /opt/local/bin/openssl fmbp:~ home$ openssl version OpenSSL 0.9.8y 5 Feb 2013
Once fixed, it is recommended to take some further steps so read on about OpenSSL vulnerability and other valuable details here: http://tar.gz.ro/openssl-heartbleed.html
Of course, you can check also if MacPorts or whatever you use repository is updated with a non vulnerable version but I leave that to you.
The big problem with this vulnerability is the servers you are connecting to. Of course, it is not good to have a buggy version of OpenSSL so that is why the tutorial above but you better test with a simple perl script if your services, mail and web servers are vulnerable.
The script is written in python and available here: http://tar.gz.ro/openssl-heartbleed.html