The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
Note: It is not a bug in Magento.
What is my chances of getting affected with this bug?
OpenSSL is the mostly widely used cryptographic software library. There are 100% chances that you are exposed to this bug directly or indriectly.
How should I know whether my confidential information is compromised by this bug?
The nature of this bug is that, the attacker can steal the data without leaving any trace. It is impossible to know, whether your information is compromised or not.
What versions of the OpenSSL are affected?
Status of different versions:
•OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
•OpenSSL 1.0.1g is NOT vulnerable
•OpenSSL 1.0.0 branch is NOT vulnerable
•OpenSSL 0.9.8 branch is NOT vulnerable
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug
How should I know whether the magento store is affected with this heartbleed bug?
There are many websites available to check and let you know the status, refer below.
What should I do now to stop the leak?
As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed OpenSSL has been released and now it has to be deployed. Update your OpenSSL version to 1.0.1g which has the fix to this bug and security fixes
Refer and download the fix from: http://www.openssl.org/
For more information , check out this YouTube video