OpenSSL Heartbleed Bug in OS X?

root's picture

You wonder if you OS X have this OpenSSL vulnerability?
Well, normally NOT because it comes with OpenSSL 0.9.8y but if you have MacPorts, Homebrew or Fink installed, read on.

For this short tutorial I take Mavericks since it is the newest and MacPorts because I have it installed:

Check OpenSSL version:

fmbp:~ home$ openssl version
OpenSSL 1.0.1e 11 Feb 2013

Vulnerable but not the OS version because if we look better, it points out to the macports binary:

fmbp:~ home$ which openssl

The OS version is here:

fmbp:~ home$ /usr/bin/openssl version
OpenSSL 0.9.8y 5 Feb 2013

Fortunately MacPorts have the latest version not impacted so you can fix this by just updating the package:

fmbp:~ home$ sudo port selfupdate
fmbp:~ home$ [color=green]sudo port upgrade openssl[/color] # or "sudo port -v upgrade outdated"
fmbp:~ home$ openssl version
OpenSSL 1.0.1g 7 Apr 2014

If you want to switch to the OS version, do the following commands:

Note: any update of your custom repository (like port upgrade openssl above) will revert this modification.

fmbp:~ home$ sudo mv /opt/local/bin/openssl /opt/local/bin/openssl.bad
fmbp:~ home$ sudo ln -s /usr/bin/openssl /opt/local/bin/openssl
fmbp:~ home$ openssl version
OpenSSL 0.9.8y 5 Feb 2013

Once fixed, it is recommended to take some further steps so read on about OpenSSL vulnerability and other valuable details here:
Of course, you can check also if MacPorts or whatever you use repository is updated with a non vulnerable version but I leave that to you.

The big problem with this vulnerability is the servers you are connecting to. Of course, it is not good to have a buggy version of OpenSSL so that is why the tutorial above but you better test with a simple perl script if your services, mail and web servers are vulnerable.
The script is written in python and available here:

Thou shalt not steal!

If you want to use this information on your own website, please remember: by doing copy/paste entirely it is always stealing and you should be ashamed of yourself! Have at least the decency to create your own text and comments and run the commands on your own servers and provide your output, not what I did!

Or at least link back to this website.