These are upgrading instructions for the new OpenSSL vulnerability, Heartbleed. This is only for Mac, and assumes you have Homebrew installed.
You need to upgrade OpenSSL to at least version 1.0.1g
.
$ brew update
$ brew upgrade openssl
$ brew link --force openssl
$ hash -r # refresh the executable lookup
Now $ openssl version -a
should show the correct version (1.0.1g or higher).
Since SSH is also running older version of OpenSSL, you'll need to update it also.
$ brew tap homebrew/dupes
$ brew install openssh
$ hash -r # refresh the executable lookup
Now $ ssh -V
should show that it's installed with the correct version of OpenSSL (1.0.1g or higher).
Now the port 22 of your OS is still running the old version of SSH, so you need to change Program
and ProgramArguments
keys in /System/Library/LaunchDaemons/ssh.plist
to point to the new OpenSSH (you'll need sudo accesss to change the file):
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Disabled</key>
<true/>
<key>Label</key>
<string>com.openssh.sshd</string>
<key>Program</key>
- <string>/usr/libexec/sshd-keygen-wrapper</string>
+ <string>/usr/local/sbin/sshd</string>
<key>ProgramArguments</key>
<array>
- <string>/usr/sbin/sshd</string>
+ <string>/usr/local/sbin/sshd</string>
<string>-i</string>
</array>
<key>Sockets</key>
<dict>
<key>Listeners</key>
<dict>
<key>SockServiceName</key>
<string>ssh</string>
<key>Bonjour</key>
<array>
<string>ssh</string>
<string>sftp-ssh</string>
</array>
</dict>
</dict>
<key>inetdCompatibility</key>
<dict>
<key>Wait</key>
<false/>
</dict>
<key>StandardErrorPath</key>
<string>/dev/null</string>
<key>SHAuthorizationRight</key>
<string>system.preferences</string>
<key>POSIXSpawnType</key>
<string>Interactive</string>
</dict>
</plist>
And reload the plist:
$ sudo launchctl unload -w /System/Library/LaunchDaemons/ssh.plist
$ sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist
Now $ telnet localhost 22
should show the correct SSH version – SSH-2.0-OpenSSH_6.6
(or higher). (Press "Enter" to exit telnet.) This is taken from a StackOverflow question.
Since Rubies so far were installed with an older version of OpenSSL, you'll maybe need to update them as well. I think it's not necessary if you're not actually using OpenSSL in your Ruby code.
If you're using ruby-build
to install your rubies, Sferik released an update which includes the new OpenSSL, so use it to update your rubies.
Doesn't work for me on Yosemite
Need to remove these lines from the plist: