Ask HN: openSSL/heartbleed for internal company apps?
Are you bothering to check openSSL versions for internal apps like:
- revision control - wikis - tool installs like perl, python (because of LDAP authentication)
Looking around it seems like Perforce and Subversion had heartbleed vulnerabilities for specific configurations.
Looking through various LDAP plugins for different tools, they may use a version of openSSL that is vulnerable.
Should we be patching openSSL on all of the linux boxes and not just web servers? Yes, definitely. You should consider all servers running a vulnerable OpenSSL installation to be compromised. You'll need to rekey all your certificates. Do not trust the fact that "the servers are internal" because if your perimeter has been breached you will most likely know only after the fact. Personally, I tend to treat internal services with the same process I use for external services, they just come second on the list.