Then you have to worry about all the esoteric services.
#Visualsvn server heartbleed update
First, Apache is often bundled with applications that provide web interfaces had to manually update a couple of those as the app provider in question was either slow to or didn't bother to push out an update addressing Heartbleed. Yeah, there are the big ones like running an SSL website on Apache, but it's easy to miss some. When Heartbleed became public knowledge, we had to dig through every service used by us and our clients to see if they were vulnerable. I think the problem isn't that sysadmins are unaware of heartbleed, but rather are unaware that they are running vulnerable versions of OpenSSL. You really have to be unaware or not care to be at that point right now. This much later, it is rather amazing half of those servers aren't updated. I had to make sure it was kosher with some of the application developers, and executed it first in a Test Environment.īut the end fix is as easy as, package manager dependent: Given we're the largest economy in the world, and certainly one of the largest digital ones, it would make perfect sense that we should as well.īut, then again, the CF that we call the US.gov is so dysfunctional that it's the definition of "common sense isn't." Further, why should companies be responsible to and on behalf of their clients when they can pay off Congress and be lazy instead? One more reason why in this day and age the US should have an all-encompassing bill that requires companies to protect customers' and employees' personally identifiable information. But to sue you have to prove quantifiable harm that came from that given site's error. Failure to do so should be considered negligence at the least. This is a nice example of a security flaw that is known and easy to fix.
Not surprising, since generally speaking companies suffer no negative repercussions for failure to patch their systems.