OpenSSL "heartbleed" 的安全漏洞

4月7日，国外黑客爆出OpenSSL存在一处内存泄漏漏洞，该漏洞可随机泄漏https服务器64k内存，内存中可能会含有程序源码、用户http原始请求、用户cookie甚至明文帐号密码等，已经有多个白帽给乌云君提供了漏洞影响证明，涉及大量互联网企业与电商，紧急！ 

使用openssl 版本在1.0.1-1.0.1f和1.0.2-beta1会受漏洞影响（原生centos系统主要涉及6.x版本）

建议将openssl做升级处理，centos源已提供升级，原生安装的openssl可以通过yum升级到 1.0.1e-16.el6_5.7 解决。升级完毕后请重启web server。 

https://www.openssl.org/news/secadv_20140407.txt

OpenSSL Security Advisory [07 Apr 2014] ========================================  TLS heartbeat read overrun (CVE-2014-0160) ==========================================  A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.  Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.  Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for preparing the fix.  Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.  

1.0.2 will be fixed in 1.0.2-beta2.